swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2026-04-14 13:19:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

wip: continue migration

Browse source
This commit is contained in:
Leon Schwarzäugl 2026-04-03 22:55:16 +02:00
parent 7ce27d5d2f
commit fa9bd32b0b
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
129 changed files with 6252 additions and 106 deletions
Download patch file Download diff file Expand all files Collapse all files

140
SwarselSystems.org
View file

@ -51,7 +51,7 @@ This project manages my entire IT infrastructure. In particular:
- My work workstation ([[#h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0][Treehouse (DGX Spark)]]) - My work workstation ([[#h:ced1795a-9884-4277-bcde-6f7b9b1cc2f0][Treehouse (DGX Spark)]])
- My phone ([[#h:729af373-37e7-4379-9a3d-b09792219415][Magicant (Phone)]]) - My phone ([[#h:729af373-37e7-4379-9a3d-b09792219415][Magicant (Phone)]])
This is a system that grew organically over {{{days-since(2021,11,27)}}} days and has reached considerable complexity at this point. This documents exists to try and make it understandable to other people as well. This is a system that grew organically over {{{days-since(2021,11,27)}}} days (as of {{{revision-date}}}) and has reached considerable complexity at this point. This documents exists to try and make it understandable to other people as well.
** How to use this document ** How to use this document
:PROPERTIES: :PROPERTIES:
@ -3149,7 +3149,6 @@ This exposes all of my modular configuration as modules. Other people can use th
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.microvm.nixosModules.host inputs.microvm.nixosModules.host
inputs.microvm.nixosModules.microvm inputs.microvm.nixosModules.microvm
inputs.nix-index-database.nixosModules.nix-index inputs.nix-index-database.nixosModules.nix-index
@ -3166,6 +3165,7 @@ This exposes all of my modular configuration as modules. Other people can use th
inputs.noctoggle.nixosModules.default inputs.noctoggle.nixosModules.default
(inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/guests")
(inputs.nixos-extra-modules + "/modules/interface-naming.nix") (inputs.nixos-extra-modules + "/modules/interface-naming.nix")
"${self}/hosds/nixos/${arch}/${configName}"
"${self}/profiles-clone/nixos" "${self}/profiles-clone/nixos"
"${self}/modules-clone/nixos" "${self}/modules-clone/nixos"
{ {
@ -8692,6 +8692,7 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru
}; };
includes = [ includes = [
den.provides.define-user den.provides.define-user
den.provides.nixpkgs
]; ];
}; };
}; };
@ -8703,7 +8704,11 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru
#+begin_src nix-ts :tangle aspects/shared.nix #+begin_src nix-ts :tangle aspects/shared.nix
{ {
den = { den = {
schema.conf = { lib, ... }: { schema = {
host = { lib, ... }: {
};
conf = { config, lib, ... }: {
options = { options = {
isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)"; isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)";
isMicroVM = lib.mkEnableOption "mark this config as a microvm"; isMicroVM = lib.mkEnableOption "mark this config as a microvm";
@ -8711,6 +8716,24 @@ I also set the =WLR_RENDERER_ALLOW_SOFTWARE=1= to allow this configuration to ru
type = lib.types.str; type = lib.types.str;
default = "swarsel"; default = "swarsel";
}; };
node = {
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ../hosts/${config.class}/${config.system}/${config.name}/secrets;
};
configDir = lib.mkOption {
description = "Path to the base directory for this node.";
type = lib.types.path;
default = ../hosts/${config.class}/${config.system}/${config.name};
};
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
default = true;
};
};
};
}; };
}; };
}; };
@ -10013,6 +10036,94 @@ This is the battery for PII
#+end_src
**** Boot
#+begin_src nix-ts :tangle aspects/boot.nix
{ inputs, ...}:
{
den.aspects.boot = { lib, pkgs, ... }: {
nixos = {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
environment.systemPackages = [
pkgs.sbctl
];
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 6;
};
};
};
};
}
#+end_src
**** nixpkgs
#+begin_src nix-ts :tangle aspects/nixpkgs.nix
{ self, den, lib, ... }:
let
nixpkgsModule = from:
let
config = if (from ? host) then from.host else if (from ? home) then from.home else { };
in
{
nixpkgs = {
overlays = [
self.outputs.overlays.default
self.outputs.overlays.stables
self.outputs.overlays.modifications
] ++ lib.optionals ((from ? user) || (from ? home)) [
(final: prev:
let
additions = final: _: import "${self}/pkgs/config" {
inherit self config lib;
pkgs = final;
homeConfig = if (from ? user) then from.user else if (from ? home) then from.home else { };
};
in
additions final prev
)
];
config = lib.mkIf (!config.isMicroVM) {
allowUnfree = true;
};
};
};
hostAspect =
{ host }:
{
${host.class} = nixpkgsModule { inherit host; };
};
hostUserAspect =
{ host, user }:
{
${host.class} = nixpkgsModule { inherit host user; };
};
homeAspect =
{ home }:
{
${home.class} = nixpkgsModule { inherit home; };
};
in
{
den.provides.nixpkgs = den.lib.parametric.exactly {
includes = [
hostAspect
hostUserAspect
homeAspect
];
};
}
#+end_src #+end_src
*** Hosts *** Hosts
**** Pyramid **** Pyramid
@ -10020,31 +10131,13 @@ This is the battery for PII
#+begin_src nix-ts :tangle aspects/hosts/pyramid.nix #+begin_src nix-ts :tangle aspects/hosts/pyramid.nix
{ mkNixos, lib, den, ... }: { mkNixos, lib, den, ... }:
let let
hostContext = { host }: hostContext = { host, ... }:
let let
inherit (host) mainUser; inherit (host) mainUser;
in in
{ {
nixos = { self, inputs, lib, ... }: { nixos = { self, inputs, lib, ... }: {
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
"${self}/hosts/nixos/x86_64-linux/pyramid/disk-config.nix"
"${self}/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix"
"${self}/modules/nixos/optional/amdcpu.nix"
"${self}/modules/nixos/optional/amdgpu.nix"
"${self}/modules/nixos/optional/framework.nix"
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/hibernation.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
"${self}/modules/nixos/optional/work.nix"
"${self}/modules/nixos/optional/niri.nix"
"${self}/modules/nixos/optional/noctalia.nix"
];
topology.self = { topology.self = {
interfaces = { interfaces = {
eth1.network = lib.mkForce "home"; eth1.network = lib.mkForce "home";
@ -10099,7 +10192,7 @@ This is the battery for PII
}; };
}; };
}; };
} // lib.optionalAttrs (!minimal) { } // {
swarselprofiles = { swarselprofiles = {
personal = true; personal = true;
}; };
@ -10117,6 +10210,7 @@ This is the battery for PII
includes = [ includes = [
hostContext hostContext
den.aspects.work den.aspects.work
den.aspects.boot
]; ];
}; };
} }

22
aspects/boot.nix Normal file
View file

@ -0,0 +1,22 @@
{ inputs, ... }:
{
den.aspects.boot = { pkgs, ... }: {
nixos = {
imports = [
inputs.lanzaboote.nixosModules.lanzaboote
];
environment.systemPackages = [
pkgs.sbctl
];
boot = {
lanzaboote = {
enable = true;
pkiBundle = "/var/lib/sbctl";
configurationLimit = 6;
};
};
};
};
}

1
aspects/defaults.nix
View file

@ -13,6 +13,7 @@
}; };
includes = [ includes = [
den.provides.define-user den.provides.define-user
den.provides.nixpkgs
]; ];
}; };
}; };

27
aspects/hosts/pyramid.nix
View file

@ -1,29 +1,11 @@
{ mkNixos, lib, den, ... }: { mkNixos, lib, den, ... }:
let let
hostContext = { host }: hostContext = { host, ... }:
let let
inherit (host) mainUser; inherit (host) mainUser;
in in
{ {
nixos = { self, inputs, lib, ... }: { nixos = { self, lib, ... }: {
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
"${self}/hosts/nixos/x86_64-linux/pyramid/disk-config.nix"
"${self}/hosts/nixos/x86_64-linux/pyramid/hardware-configuration.nix"
"${self}/modules/nixos/optional/amdcpu.nix"
"${self}/modules/nixos/optional/amdgpu.nix"
"${self}/modules/nixos/optional/framework.nix"
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/hibernation.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
"${self}/modules/nixos/optional/work.nix"
"${self}/modules/nixos/optional/niri.nix"
"${self}/modules/nixos/optional/noctalia.nix"
];
topology.self = { topology.self = {
interfaces = { interfaces = {
@ -55,7 +37,7 @@ let
}; };
}; };
home-manager = { lib, minimal, ... }: { home-manager = _: {
users."${mainUser}" = { users."${mainUser}" = {
swarselsystems = { swarselsystems = {
isSecondaryGpu = true; isSecondaryGpu = true;
@ -79,7 +61,7 @@ let
}; };
}; };
}; };
} // lib.optionalAttrs (!minimal) { } // {
swarselprofiles = { swarselprofiles = {
personal = true; personal = true;
}; };
@ -99,6 +81,7 @@ lib.recursiveUpdate
includes = [ includes = [
hostContext hostContext
den.aspects.work den.aspects.work
den.aspects.boot
]; ];
}; };
} }

58
aspects/nixpkgs.nix Normal file
View file

@ -0,0 +1,58 @@
{ self, den, lib, ... }:
let
nixpkgsModule = from:
let
config = if (from ? host) then from.host else if (from ? home) then from.home else { };
in
{
nixpkgs = {
overlays = [
self.outputs.overlays.default
self.outputs.overlays.stables
self.outputs.overlays.modifications
] ++ lib.optionals ((from ? user) || (from ? home)) [
(final: prev:
let
additions = final: _: import "${self}/pkgs/config" {
inherit self config lib;
pkgs = final;
homeConfig = if (from ? user) then from.user else if (from ? home) then from.home else { };
};
in
additions final prev
)
];
config = lib.mkIf (!config.isMicroVM) {
allowUnfree = true;
};
};
};
hostAspect =
{ host }:
{
${host.class} = nixpkgsModule { inherit host; };
};
hostUserAspect =
{ host, user }:
{
${host.class} = nixpkgsModule { inherit host user; };
};
homeAspect =
{ home }:
{
${home.class} = nixpkgsModule { inherit home; };
};
in
{
den.provides.nixpkgs = den.lib.parametric.exactly {
includes = [
hostAspect
hostUserAspect
homeAspect
];
};
}

22
aspects/shared.nix
View file

@ -1,6 +1,8 @@
{ {
den = { den = {
schema.conf = { lib, ... }: { schema = {
host = _: { };
conf = { config, lib, ... }: {
options = { options = {
isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)"; isPublic = lib.mkEnableOption "mark this as a public config (= without secrets)";
isMicroVM = lib.mkEnableOption "mark this config as a microvm"; isMicroVM = lib.mkEnableOption "mark this config as a microvm";
@ -8,6 +10,24 @@
type = lib.types.str; type = lib.types.str;
default = "swarsel"; default = "swarsel";
}; };
node = {
secretsDir = lib.mkOption {
description = "Path to the secrets directory for this node.";
type = lib.types.path;
default = ../hosts/${config.class}/${config.system}/${config.name}/secrets;
};
configDir = lib.mkOption {
description = "Path to the base directory for this node.";
type = lib.types.path;
default = ../hosts/${config.class}/${config.system}/${config.name};
};
lockFromBootstrapping = lib.mkOption {
description = "Whether this host should be marked to not be bootstrapped again using swarsel-bootstrap.";
type = lib.types.bool;
default = true;
};
};
};
}; };
}; };
}; };

2
flake/instantiate.nix
View file

@ -21,7 +21,6 @@
inputs.disko.nixosModules.disko inputs.disko.nixosModules.disko
inputs.home-manager.nixosModules.home-manager inputs.home-manager.nixosModules.home-manager
inputs.impermanence.nixosModules.impermanence inputs.impermanence.nixosModules.impermanence
inputs.lanzaboote.nixosModules.lanzaboote
inputs.microvm.nixosModules.host inputs.microvm.nixosModules.host
inputs.microvm.nixosModules.microvm inputs.microvm.nixosModules.microvm
inputs.nix-index-database.nixosModules.nix-index inputs.nix-index-database.nixosModules.nix-index
@ -38,6 +37,7 @@
inputs.noctoggle.nixosModules.default inputs.noctoggle.nixosModules.default
(inputs.nixos-extra-modules + "/modules/guests") (inputs.nixos-extra-modules + "/modules/guests")
(inputs.nixos-extra-modules + "/modules/interface-naming.nix") (inputs.nixos-extra-modules + "/modules/interface-naming.nix")
"${self}/hosds/nixos/${arch}/${configName}"
"${self}/profiles-clone/nixos" "${self}/profiles-clone/nixos"
"${self}/modules-clone/nixos" "${self}/modules-clone/nixos"
{ {

44
hosds/android/aarch64-linux/magicant/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ pkgs, ... }: {
environment = {
packages = with pkgs; [
vim
git
openssh
# toybox
dig
man
gnupg
curl
deadnix
statix
nixpgks-fmt
nvd
];
etcBackupExtension = ".bak";
extraOutputsToInstall = [
"doc"
"info"
"devdoc"
];
motd = null;
};
android-integration = {
termux-open.enable = true;
xdg-open.enable = true;
termux-open-url.enable = true;
termux-reload-settings.enable = true;
termux-setup-storage.enable = true;
};
# Backup etc files instead of failing to activate generation if a file already exists in /etc
# Read the changelog before changing this value
system.stateVersion = "23.05";
# Set up nix for flakes
nix.extraOptions = ''
experimental-features = nix-command flakes
'';
}

23
hosds/darwin/x86_64-darwin/machpizza/default.nix Normal file
View file

@ -0,0 +1,23 @@
{ lib, config, ... }:
let
inherit (config.repo.secrets.local) workUser;
in
{
# Auto upgrade nix package and the daemon service.
services.nix-daemon.enable = true;
services.karabiner-elements.enable = true;
home-manager.users.workUser.home = {
username = lib.mkForce workUser;
swarselsystems = {
isDarwin = true;
isLaptop = true;
isNixos = false;
isBtrfs = false;
mainUser = workUser;
homeDir = "/home/${workUser}";
flakePath = "/home/${workUser}/.dotfiles";
};
};
}

16
hosds/darwin/x86_64-darwin/machpizza/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,16 @@
{
"data": "ENC[AES256_GCM,data:6u0RRfaZaNk5KwnMoWY4dUC7xn132a7yKDZnStUSRS+Ci7XHMak=,iv:VQ2cYcdOS+S31d1yQioj95CTVmuvBVkgojIs6ib9iOM=,tag:QtC54hIryboeaOnDf1u2yw==,type:str]",
"sops": {
"lastmodified": "2025-06-11T13:04:16Z",
"mac": "ENC[AES256_GCM,data:sOzsL5QIET0hGTR3UwcKx7G8RAlOoLZaDlqsn9Yqw2+0yHPmNFs1N1BST3NNaNe+P9j2XruGgBNGCCm9igq8j37W46hf6uAy69Rx1Kzvrxih2Qu3P0Bb1ozyymQxeXDtKdvC0pxOFsgEk05l9VG0JM2Calxq/pK/EoGPfRQS1Zg=,iv:l0M0BrEQSixlU4I2UrB5g0FaKL32/VrCyJcm3MXujRs=,tag:hiNfmFMpHtoghOEv5JmVKw==,type:str]",
"pgp": [
{
"created_at": "2025-06-11T13:03:51Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cqwpzR+VevsftDMoj79xiFvayPxluot/mZKQAMPNpMIG\nKDNMYYnIKa1z5TBeDVuivslEytIqB8zEmiZ0Sa6oMJ3T1t72cQbKjARKyKxneGAz\nYqVEM/zHq6W4E0NwE74F4ZAhGA8abFu6nKxQwITwyw28TiOzkNHG0W49ZRLXAHRm\nRBih8p6B05Q1EPK3I3Gz4KUklqNptrbjtRvTzcLcVEkfbOhKz2OOck1a/kqjmKrb\n7/9ORD00wfcXnUykIzN7noe5WixEuDdaE1T2f7kgB1749OVPNW4ZhWsm6yGsRJbJ\nh3n4xUhTrwRZ+9MtWqOdoJ8Z2I8ylUmXiHJYfOj/U/BG7H4y/EMXQ8RR4sMZjlcm\nqhuzor4Ku8Og72RHhY7SnSCCSH10uHVqlfapVH7iLkwywg3pKWdqqEv7wU7A83tR\noDa7+zD4wZYS4p6TEvvv9jyUE9r5A0r5evqHSHzM6Cgkp42FDWkTb30NeBvX2RJC\nyBeQEPqiaAIM+dUdxvM+cFzYBMVdfMtgQHwr3Wkw+Bb2+Pt/JDxcSDBtJbxl+GGp\n+tWn6etfSe4Nr0Z0abgUcKq+niaM8rD4W0DhLNDLhXE2KRTbQV0YgBqlXZf+uY8A\nHagbCeGGT0k67PJs++hlDEeVhB980eMzHdLsv0w+Ie6bttgY81gOvsrr23RQN42F\nAgwDC9FRLmchgYQBD/46neLbZcA0IIPUyeOjwiS2p1O1sR/i9UaSALa+4lw/pdCu\n7iPWwGMDNkh6I+5A3++3lC3MME7A846MFGq9iFpH/+TyTZrqnwcwGY92CE60T1Q6\nouA+g7C/CIX1r04IiAVxi9tBjUmB+dFApdFCC5Mg6Yx+3zh6Z49zvMoO5yGqLLhE\nhqAgxJB0lB07nepgB0spJAaKBs7GyYEss3Cm5WpsitLitPRMEUKLcdvYUw6G09Kc\ndmJb9LbZy4Mn7YziIb+czWZ/hW6B7BUSUZMhQJwMcRFBT6+6aTpO6zWM7URbPQaO\nieN+2ShM5OotiUiO3nfRquBw5mUFDOR1ZVxF/rBtiZe2Jt0URE7pKfcuFQREKp01\nVgI+JUrEl0t8e5J3SSAoXColf+Oq4xDY+CNUJOAtuJ/LrNc0+Q0KwZwShHzGOl5M\neqUgkS+IMYrfJjuJZjTzQTJJ6PeC2VpEGO7czgCn9/5FftsrH2wSSLL4FGX4tXfU\nhrbtt4gMN0had0QkZkuhxlIwYcATjUQ7CGQfrhINC+EpEju/NlE6zuuIa+05eigR\n3kEemBa5Ely4onQeMh81nOAyhkhj6QcbE7qn+ueUMAb70u5B115ULLQUrivLu2jI\nSK6o1WAeZKZIcf0/6iB+mMc7qbG36nelK2JYK8e0KiVSIUGehpYwV3ELwuhzEtJc\nAYobc//aa6GU3pCFzp90TA9kAZXhqgaw9wkzicueAhgCfr8s0FxG5WxWQxfJBLYF\nVSPqrqJ0EBU1EF9G2nz0ynJL1iWiN5VcN7JTXYXTK8TPJUe0ZU1boS4AhOY=\n=AG4y\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

35
hosds/home/aarch64-linux/treehouse/default.nix Normal file
View file

@ -0,0 +1,35 @@
{ self, pkgs, ... }:
{
imports = [
"${self}/modules/home"
];
services.xcape = {
enable = true;
mapExpression = {
Control_L = "Escape";
};
};
home.packages = with pkgs; [
attic-client
];
# programs.zsh.initContent = "
# export GPG_TTY=\"$(tty)\"
# export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
# gpgconf --launch gpg-agent
# ";
swarselmodules.pii = true;
swarselsystems = {
isLaptop = false;
isNixos = false;
wallpaper = self + /files/wallpaper/landscape/surfacewp.png;
};
swarselprofiles = {
dgxspark = true;
};
}

67
hosds/nixos/aarch64-linux/belchsfactory/default.nix Normal file
View file

@ -0,0 +1,67 @@
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
node.lockFromBootstrapping = lib.mkForce false;
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/sda";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
garage = {
data_dir = {
capacity = "150G";
path = "/var/lib/garage/data";
};
keys = {
nixos = [
"attic"
];
};
buckets = [
"attic"
];
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
wireguard = true;
ssh-builder = true;
postgresql = true;
attic = true;
garage = true;
hydra = false;
};
}

121
hosds/nixos/aarch64-linux/belchsfactory/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosds/nixos/aarch64-linux/belchsfactory/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosds/nixos/aarch64-linux/belchsfactory/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:8qaX0CjyxK8qoAyVyxwfXlejWyGSY579EVmmUCi9PPyB5LyPjfDvXxlRFCOlC6eYbSJ1AWLqqZ6yYgZaimUHkOTh7dL+D4wSkmGeRnxZoQhq9n9sYZPJUfqEhMwEGxlrAvchXJuruZG+Tp9+Ev0if9f9J9qdU1y+yLGQxc2vnibMg2uxdpfYjHaDWa9bybRQZxINkD//um8uxkRs0xvWgZu63ReQZMPjx9K3vNtdJTZsW5+ZUB368QA2mnry2Zf60PWJT/+NsNKIwyzjhUNJ/eTFxjNJ4zPj/AnXFezfGvpVu6XFYsLk5uPb3XfpUlCj4mTVvmVlA40lf4rOhyoRRAW8d28puJArBf3nPzIkWQUfmFwO5EE3qPDkjMlaRa/RdRx0dvrbLDv7Ujt1XaK8bl3Vkz77oumCYFPV7J4mAeu3/LFBAoWKik6Wj8WQE+QwUWo=,iv:ZQaOO2Blpqn+Xnzt4fcPu+rNAvEdluwJEYRxPVItLcU=,tag:rKJ5g27ZK1wCpcyCVfffpA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1k73gy5em3js9zklnnkzp5hme9k04lny32fgahmzddknjw5c295asdyr4x6",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbi9PZkRob2JkcjlEMUJu\nSG5TemplWkhWVXZNWStCVXhrUlFRSUtPeWk4CjZEQVN4b1lYVkxYQmU0SEJ0QnAv\nTE9IdHZUYmVjb0hxSno1QWxGN1ZMUFEKLS0tIEwrVU5uZmZPRGdZcjVsVk1IQ1Vv\nRXdMcW0xR2g5SCswKzF5RkIwUmtocDgKVI/EMQuvfKGeJH7wFm8VP5rKLhYKOlPt\nA+QIDAdrtFogW9Swwhzxu1tIOfMXzfyW9P+ec/b6/vU96PMqJQ6ZGg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-11-28T14:15:06Z",
"mac": "ENC[AES256_GCM,data:TxnVPtRHzUEr9StM3RlOgqD11036yM74HL1Q8ZkNSU89geAaUoDj8LJD1QKglDT5UNzfKeaZD4DT6bqill+H5FUuonOgLPxNoFKMyWhppQkMWM5F/bw8JUulacmE28b2Rd5zRVOYe3TkE11kMAbxRD+CvqEFBrLsZAndr9QdfUc=,iv:uzjzk1FUN52oAE0cuw7OLLmMRxE/VLQ+tUExxYQjwTQ=,tag:+BOG6wRb0h/jhyy7l8ZA/A==,type:str]",
"pgp": [
{
"created_at": "2025-11-25T18:32:49Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+Mi33CAnGK/475xmMlZn2P4aR2iFjWFms6XU540JZnfQi\nF6/bjq1otgxGlnR6x3zhPQU3whCQIv538UeiYWMoS8oPxj5b5eF33agihYaCq2wx\nHv4p0+hOJMl2SJPCHfmTkClqYGYMOzTPe1g6oiY0N3FWVoiWXdbWNkIGVNjgkedz\n5f9JPFWn6iB/Z07qUMwG2OOzh8ZPlh/PgNCBrCVMUYrD/FrAck389uMw4yHFz8AV\n3ETnx2gHFTwL5F8H7x3uVungoBVCJk+NpXiKS6nVKwH4jliydiU2ZClSzjHpCqCW\nd365MCahC67IkuCkWhwuPwDaKIk7Qw4rZaLybcad5/TQ0zT+XCm6/2DYIYTj2gip\nqrBDZxHZhkpYcArjckWDRchO9t9E/c3qJfD1Zxi6fBz0vu2WcCuTT8Qd6Zn+DlMb\nVr0D2LPlZGRJ+kM9xuZXaY1bGNAA2POvLn698prPuTkMNxidQEhPNuNy4PlYKXAP\nFfRzJ5zFUneW19j8SgL6BxfLoYDFWkoHIutNDH5H290MJqnFDUrQ5bQn8odM+1OL\noJ1AchHN3J0J5aa2Z8X0NSVN7N0TmU3xVZ1GmfdqbH+3V+OR3NMgJ/FKMQEutT56\nAsBc7tSHtJGaRS9plJ+RryuPRRnqGmRkS3vVmBkrD+pY/TwUbXUBKjEOWhq9uwiF\nAgwDC9FRLmchgYQBEACD1XnsK/sTsgtvt69H/aBHWVIWQNTmdhwJBUHmqkusFhPf\nXxfGN+bvapWulYI+Wb4LAQQbUhMmz8drPnWpCEobS3LSeU8CDD3wBrGAJubI7YLK\nttn4oB7XK5mrg9SIQ8M8kOElv19oCMudkX8dRs4gs0TBO6jbr7/lsiyL/sN3Ylk+\nnyORFeSgE9vVcvJ8QnIF+MQXF9Re61zJFqjXiDMEklzbHHVeLzS5IlYgJoDvV3Gg\n9lTtvdO/FV5JtjFeYI16rjPb7ip/KtljU5pBM8wp6VU4Dre0VsRBgztm279g+WaL\nDJuf6lmfwNSk66tiLpsaJoEu7A+UhLURI10cv92E7fydbGRZMgSjK6ZK4Ue6WH1U\nYQJenngZPXcRcqfCeTVTjzG6ikL3aCfvbuJ3/oT8Y8oBA5Ch2PG7fWAJMMUVIFAM\nLO8KqCSdRCoJrJ69s8iyBycOhPhMiwLZU2HLlMux/kLq5OB2JMGm8P4nxoXTp9Dz\n2TPoPigZritYHsIXZ3cM2iR3OL3AiotKlaIp74ElUeuc0K+Bcp1C//OtKTPuYGnc\n0ttC/dx3c9vv6W80JJ6i7bCRoDiuGrrdx783ly2br4VLDFSaS8rNbrM5ccSTVImw\nUFxZO9rLO0n7N6z4hlgrKw3G1SWKYqbgOVXxIog7st8JvmPLQZYjEuH9Xwq6WdJc\nAU2esxsAaDKyIPHg+DAXOPBagzU1tBKFYtwaiFVDqYk5gNE/2hAnKcuU7O3sua1q\ntsgL2kY8VSHcFFv8N6FhDYPdCrDgAwOtJSZGf7uV92q7/vbMWx+vGq/7FaQ=\n=m1sm\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

61
hosds/nixos/aarch64-linux/belchsfactory/secrets/secrets.yaml Normal file
View file

File diff suppressed because one or more lines are too long

51
hosds/nixos/aarch64-linux/liliputsteps/default.nix Normal file
View file

@ -0,0 +1,51 @@
{ self, config, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
interfaces.ProxyJump = {
virtual = true;
physicalConnections = [
(config.lib.topology.mkConnection "moonside" "lan")
(config.lib.topology.mkConnection "twothreetunnel" "lan")
(config.lib.topology.mkConnection "belchsfactory" "lan")
(config.lib.topology.mkConnection "stoicclub" "lan")
(config.lib.topology.mkConnection "eagleland" "wan")
];
};
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-360fb180663ec4f2793a763a087d46885";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
mainUser = "jump";
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
bastion = true;
# ssh = false;
};
# users.users.swarsel.enable = lib.mkForce false;
# home-manager.users.swarsel.enable = lib.mkForce false
}

121
hosds/nixos/aarch64-linux/liliputsteps/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosds/nixos/aarch64-linux/liliputsteps/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosds/nixos/aarch64-linux/liliputsteps/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:GntHmFTkr7OKUlAVPP1aPeGJEoM1/W9xoZzdXG/udBrKB8eadaOsdsT9/I4Q4zydLnAUZAb+k+/pu3inqiGPClNWU0LUMj7wTwPuVe57EyLaO2oaN4z2nvWhJnwfatvdLrFICz3MN7XLnpEe3D+3ovN2hmys1pd6cAJtEKDtmLJ3RNAhEXrMwOZ0MSzylApoi9yXULH8PqNBX7jPOZYYZ0jlnIbZB267Ln19ES0bZcK7L0608NdB+Q3xb3TQ+oSfnvsdxKyPkPqjxAto40feG97UYVW6AgYV1KlRp9etjEhIRZgn1qDvigGM/Y4HLgLxPM83h79LIVHDj1OySMyYR4bfwAR1U+Ij2nX0Wv6Q/nKx0Nmghen40AqLYp762ACLVRd30DALthhtMxhsiYIT6za3dNFRNnL1Lfss1+IwDm+XHBehBQsjXbs06nZcQURfszW03Y9KH1h5ePIS93gmkdUyH5Ya1JT609s8faukz4fcNmnXlZcnCW4fUawW3YS1zpWPGDNm54GFI06vii5JuVORrf6m2HJEIyYSzeYASC+rZOfEF8gXGjyaeh/B9nAzSq2Q/Nfm+fsceXfOkhD+ZD/nYg+whYPPfA38B5oWvwnSNRNipJLYVvdLLd6M9pTV2FHuEsFKpXwumuwMAhl287jpDVb5B6gYPnWm4zOXYX3KXd68KVFNOGCC1XrrlqVBwQqraozD+1e77eCK4OEyF8R2Wt+mCFDwrMp5hKiiFCHEX67RYqWwmZVx2hS1bovBfacoXknUaSQnfpUd5GYIVYqonyqo6cdn6LKR/0d+7wR+JuL+PO83XcEQvegfHXAXmxIEzPdsL2PqVWGL2B/qyyAZGb3hoY7hmrpEeCCefYhSkxewVDCuvL7xLBCFjq0PsPJw0CqYE0KDIgXxcGLQ5f+pn6O07YDfN+7PVPrPAaN/UTwd+2Xa9UfVELdKKhAWiywsiDCUVO9vkpvgSoYYSrtB8Ceg3RXWohbO8VrjF6UhUxnslAw8TBnBx4FtaSuI73UiJnkg9V1es47NmOA7,iv:JYRzdtAYu24aWIL/hfWLbkS8xpcPw3ylZROuuUMVmIY=,tag:Ot7G/QiTLhmnlYe7Z9aOTQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVU5HTGhyL0ZBRXkzZ3hq\ndzBMd1JZTktZbWNFMGRzcXhFK3RHb090cFdBCmpMa0FNMWFCenBjYk9FaDIrTkFS\nSnN6S210ejN5SVVhd2FWRG1SUHB4WWcKLS0tIDV2K0h1QWxwUXkwVnZlYnR6eEtl\nUVR0UGJOR1hadUtNcjYyWE9wblAwWFUKVM+J/pqtZFADYTQHfWCdvPzlhtgR6zAy\nu0EWk77+K2J0GeBuDr1W5yblUCknht6WZCJZcO6fW7AuWSQK3e/EVA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-01T16:51:40Z",
"mac": "ENC[AES256_GCM,data:SWLGPgFcdiGSvN5BTmE8Nq7+pBiNJM05H1hhqJY6wJqYZehKhQrQRj6/DSlYWPvYE/DdWo5Tiuc3RNY3NANwhki+7kl0OBxHoaHqBgOTa96rdPwe6V3s55v++jtm0xg/qLHEPCqrKqw/aiBAQLJkDOh/IykeEXBMW3S6EM+aQ0U=,iv:2wn4jQHdWWhIzOyGhZxow8WG6W0VgA2gwhb5X+k9ja0=,tag:8g4wQb0u7vbIPkVX8Ey0eA==,type:str]",
"pgp": [
{
"created_at": "2025-12-01T15:59:42Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//cl6I+s/JLwwTCX7WKdzeOIkrsK9DpY3pXBuzoZRSRSJE\nwFJO99Uc7/uH1DSsEB/25CWI6eWx7k6l7YDbcbXQgi5ZNoAt7BePeCu2LK/3coZB\nJe4SManP0sPqxrSd92Tnm6Zl9EL4cJ/5D2C2RBTWOaOtZHR8gyxx5+rzCotCoTXA\nJseGE4B8r/M0O7PAS9+oD14AwCndhuvkmFOq0Y1/wXldV6yCdgc//0oJBSTCBJUZ\nYMSQLovEYGvF9bFfpWYU8J53WqlGn7QKVccDN0/gfi8IVGVZGccUA58VaVqkzR41\ndYlRZ/sjtd+VXmOg8Fx79bOlzTn+RBCp9y+q5yKnzUKGe0/Lrnt6+j7+ieIowi76\npBd0bEaoh6wqdCJ7GSjsj5kdSXRop3Ae0ff+J0pBQNctehpcWj5/TpeA1zyslwEC\nD1B/KVN+Gh0XBCg636dUkt2E4NPNDckSRuvTLy+8IkTm7aQqTjqDu3WUOSPzZiZK\nBUGZWwXAS+xPPMH26X6gPTfZj+7Gdv6yxTVIwkphDbWfihxIP//WNbKX1QN4VSHf\nCmoPOrriIdgZ7d2olZEJxPgEVzavkRkiMSFQbQgzjx5Af3ccdav3mxlubjXldmpe\n689Joj8cgBPg1Yfk/yl7tVK9TFJgYXTqKfsXwscrSlsV+dRAN0pHuq1uo9cTE/SF\nAgwDC9FRLmchgYQBEADCJ5IVMNp+PgUDOiajCfpNq3/HsntzIWG0tIjCb5L9TFWQ\nMA2LQWhcU5CRBh7Sakf8IFi/U40SD+dILUh8JR/7g2i9mCS+1e0pkUwSIYxzAI+z\nQeycuyOrdQJFrk+nFbTdZVAerElxew/wQUiC2uoI8tA5+XyNeNfipaptPh9FpFuz\nXhFbkZDJ4kapGzsAn4FgUdmdqAgZ5n2W46WAmDmVKM0W1F0zZdkBEdkEKkv1gRpZ\nRntb/mVEiGAdXv6yAzvHrxgIBkxazzstRmCMXa252RUIakXqvkP1vw7B6ChSFQR+\nq9WNo9x0EYXivd/+ROjHT7WNhEToWems/3CQpQd1LEFXajLdpAWd875acqhBJqtY\nkpKqUG5F4JmTZ7hMuGI0g30nOofMtmFhDX/gCpJ97lEudHyNrHe0KWaQAwtRknz+\nrcPrZQmGRRcf4xcBVe/EDUNlkp9fPWEhFAwKMsVkkvCAADZbvdhLR6URJMmUj5KG\nOuwglHnSOMxCovAQUd3vCtNkkAnRPNOW/WMThr+qfjq8oKdDIaYBxjzjSz1FIsho\nKiz4W3flRzUcALjKTXadQl/jJEhpP3C6Ivh0d29SiKyrWG+Y4KlDIRctub9UjH46\nb2wqbnBzSrC8u9xJINIB4yryXsZiQyP5b39guSKIPjURebus7LBxq+0I7Z1OptJe\nAYk5htmFDe9Sgc+Do1L0kdxjblaoWOc0OiwYshQ9cMv+/IsU0U6T7w2A+8QkzPFc\nGVEmrW1Jyz2O3eMpq/Nl2IsmPDYTEPqhkRtAshBuYsoZJUz73/EovcSxyJ2moA==\n=o5Pw\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

48
hosds/nixos/aarch64-linux/liliputsteps/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,48 @@
jump-key: ENC[AES256_GCM,data:JLGy1LiNMjn1Kz0NmLYyiqarAj3evsoilCmiqXMc1JeZiFwLYoPiQjLYXg0b4Z77O5g71/OjRwKmocrLV3VBxo0rbw4rpnljGyZ8ehc/kyvoFQN44yGF+6EkKvVn9I8qTzwukTxCs4H7JgsjALAL8a4CGEowfXJlmZxk/a2SKsTr8qPB9XbCsUwrGBpBHa0bjIb52B/srXvKBfPAxIbWNlWdXFKuDyVJ01WNqlADj2sMAGRvI/X99o/EhyKL/3lMZ1rbSzq+RDlzKd6RFNyLM9751WRIc3xT+YHS13MYgpUu0B+2tKqJLXCSoGbRRSYlBw99JF66ns/fB3+Z/KnpoUGGfRN3S1orCnXkTp61UO8zskSIwU0MamrKGL8DM7kDJk1QLxTPU3usBZPXasTOxK4KAdOYo7nk8OvoZKtNj9xci6R9jeMfSh8CycKdxvcqsOw7vVeATUAGrml5Kf+/8AjYZdGdt2EiFL+7o0e8NgI/lkbiFzNISLBc/lrg0rk61pv/,iv:fPbPAptt3Gsgi7v1xCCHRClSJOXokBsvyCuLz/BoGP4=,tag:NhzeHRxwhQNI9HUFwLYMYg==,type:str]
sops:
age:
- recipient: age1ly2endyt0y9xyddj6yuj4nw6fa3ltvzlvew4cr4lzs6dv8dkavpqadmyxx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJM2J4a0pNZFRXQ0VjOFFQ
YVJIL3hFVlg0SlNFaXRvbkxMV3RhZm00Umg4CkszSnZLTXBXWUJHQTlmRllQRjhi
OENYMWRaVitPOFAvYXpJMFFYRnVYZ3MKLS0tIHk1UXhOL3FuZjZWNUxzNFdBT2E1
R3MrQ2IvVWxGOCtkSDBPZWF1dWdHSk0Kz+zJhpJNmHHj6npV6tQ+n4F01A93haSm
nyT+MAs+VxRlRNNbAih8En2uxRlzSHjFekrLLaGbVYTrRtMfLiKyvg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-01T16:49:44Z"
mac: ENC[AES256_GCM,data:RIz594CVnEbUw3Zugj+WO82o6yqOD4JwSFzkqFOfd0M+LOFM68tT/14D7vxPitXEPqLvJC6MHG5vQ61PgU4fG9JoIEqxjvq4AAYmSdCwmB64MCeUIr+V4/fcYrRxuRyiXC79z+rJneO7SkGCX95pfVhGjaLftzSjfiNPPsC5pps=,iv:D345cMUSPCGzrL9uWuDwAkAqz2mTvVTL3QVqHesldGk=,tag:HkBF29S1c9g68aKKSYSWhA==,type:str]
pgp:
- created_at: "2025-12-01T15:59:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/6AsofKCzZ3PjJRHeHSt4XfdIVCCvWScjT1JuvOnq2fXIO
ZcgXPtVoDvd5vSv/fZed+1WJNRpiuNBdmD8cj7N+XqJotgCsQt3HwROCD1UC70Ww
cyHxh3MyukexrO/uIMbQ6ugtIHPVaeC7XyAOugJfHFWZG49aW9LYDkPRGluc0/zh
7X/p+hZFLpljfL/qdZAakBDw2V0+yt1+5JW5V57jIXRX62BRSFoHqLrasHjvDgyX
h3ktgaIeDL+WssV7jra0oetGsXOL8+GPpo5PVgWONrOl4FBBS1qmNRAbLkJ77KVN
bBDV6Oy1DLqYvv/3UcqWy5XW9VxepEVsAaR+gtLzemMQo9e+qBmhE6tNR6Gvi0y4
WmVqUZL/gF38sCHoYDT7oWq1cMJ7/zT9Xz5AXgXXSbtBKaxZAFs6QwZfw1rW7dj6
Is1lXDNCtprsvc3Kxf/R4hHWT5nVFJN4xpKT+epLnumMA1YvkhWx0uziiky4ZH+6
u+RkK9YZYpGdIYPg7ZK+xLmGLU0YwdIbgiyyH5Jo9JJcqgS405ftAe0iyQjHpiU4
0b9JvGMWPzJxWvi8rzwYcI/cfd2n7ZPchTT7KTgva9xeFbn4g1ZOlEKOWg/ZoBr4
WhpI1SPS9kW0huGXS1k7Dsu0GzRBmv37AEm2mVtYPYwsK0PYLKfd4XGFQnrL0euF
AgwDC9FRLmchgYQBD/4jbW4xGw3JC4OLE7o+GqOoAFz5c034IHiEdgStYNx1RrFm
m4lstvzqUNL0DFyYdMi74iBtqnnFc+KymCTxiAlKiJThosMbV2sffc7e6CI/z9/Q
dsssJwPhv5h8XTbDSeGDk6gEr2kyKV1+9UZky9UYASHii4uzonofnV0RO+PdgTPk
mp36YufsnW2yVuKpsbCdMddEXqyaSYuhsU/bMAG2orlWFqqp7kyaARNrdI9hBnYQ
ITZTM4pPKQ334qhqUd/JYIR4luBbmBxJgTWSe5VqWqshK7u1aHr2mfXUip43+5hA
mxNEp0bmR0SnczKcxiZjZK2ZN+fBTqBnPQAxzCgsBjWrCd4a3CzIDOR/Uf3rEx2W
ccDJWRFI+cSpjLps1BphJvgkFjd31XcplLR41R78h28Mec1bE6xHMi21XUbGrITy
IuOmWAv4EDwRQtnfq+9qJ2DbmA3Ldo5pNPhldH7njET0TZVvB0ugq7EIvKxiNmX1
kHcq0nV1udSRPr/ta/eHInBD0VbVwNhk/z13xzPGKQVkhpcgy1dJj9FeJnUXqzWt
7xvHCqeGXVo46YeXYXglxUvEzBtdTGdEC2NTntEGhX6dEC1gl/g1VYcPfJJlk+S4
RENvBpCa1Ji51ix8L6u18jT2epfbxcZcSFS/0Nv8a0IUktvOeLe6y6jdYJHYPtJc
AQk4Y0lgOBoqiaNtybNCd8c/rO/yQ8m+xIxmiyyghjmPGWzEX8fHrR9fE9TVY0s3
8iBJVVDZEwtiLiELlbce0zkdCIH4UiyyEovhP/EEwxF8BrnAXo0NnVzcDGI=
=2NIK
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

114
hosds/nixos/aarch64-linux/moonside/default.nix Normal file
View file

@ -0,0 +1,114 @@
{ self, lib, config, minimal, ... }:
let
inherit (config.repo.secrets.local.syncthing) dev1 dev2 dev3 loc1;
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
system.stateVersion = "23.11";
services.syncthing = {
dataDir = lib.mkForce "/sync";
settings = {
devices = config.swarselsystems.syncthing.devices // {
"${dev1}" = {
id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
};
"${dev2}" = {
id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
};
"${dev3}" = {
id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
};
};
folders = {
"Documents" = {
path = "/sync/Documents";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "2";
};
devices = [ "pyramid" ];
id = "hgr3d-pfu3w";
};
"runandbun" = {
path = "/sync/runandbun";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "5";
};
devices = [ "winters" "magicant" ];
id = "kwnql-ev64v";
};
"${loc1}" = {
path = "/sync/${loc1}";
type = "receiveonly";
versioning = {
type = "simple";
params.keep = "3";
};
devices = [ dev1 dev2 dev3 ];
id = "5gsxv-rzzst";
};
};
};
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 4 vCPUs, 24GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = false;
isSwap = false;
rootDisk = "/dev/sda";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
restic.targets = {
SwarselMoonside = {
repository = config.repo.secrets.local.resticRepo;
paths = [
"/persist/opt/minecraft"
];
};
};
};
syncthing = {
serviceDomain = config.repo.secrets.common.services.domains.syncthing3;
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
wireguard = true;
croc = true;
microbin = true;
shlink = true;
slink = true;
syncthing = true;
minecraft = true;
restic = true;
diskEncryption = lib.mkForce false;
};
}

123
hosds/nixos/aarch64-linux/moonside/disk-config.nix Normal file
View file

@ -0,0 +1,123 @@
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, config
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
disk1 = {
type = "disk";
device = "/dev/sdb";
content = {
type = "gpt";
partitions = {
sync = {
size = "100%";
content = {
type = "btrfs";
extraArgs = [ "-L" "sync" "-f" ]; # force overwrite
subvolumes = {
"/sync" = {
mountpoint = "/sync";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosds/nixos/aarch64-linux/moonside/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosds/nixos/aarch64-linux/moonside/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:MeJM7Y4TN0doXAHHxa5y+ZuatVyEsx4HL5sMBGJ77J6VIuqS1GvY9D2p+/JETZx5iwEf+oJ5CMUD4/PQtXbUM7RKzhyzU9AjCdfNos4ZTEyLUhmHgAup2AP0yVO/Qb7dYjDPwbT5wycAAQUx+3xc1GKX93MqsKfNVUqIHWAr20s5ct0RxBylvPWeZA6eNDmcdgNaA5QgKoEDrZtfK3inTg1UmhQZrvw7MWzFN68DdC7FRxeDxSdn1ctucGTJW8k1LT5MdwGCA7nX08vAMG7VBIuj61ZXXU3zFtNRtdHBiyzlqjgInHRWevajK7L/Vjxpy3ffBRAFFQYZi6jVaui5acOywSvCvvrzVKN6Z2Rzc72KfC/np0NElJBrTAqBfQ+8tXrjjd8uaTQXbcXc3qk/y6+kfjOcYB8lk0opA/r33xUR7QkMElu7zuw1+u5ClKTOIZSqkdqrEbTCnw+hn5fL2VH0bShEACXQal6z/XnJSULmzxE5YfSK7qsJxakVux+Ksz3E5EHYgyyMCNk5WEyJtFz5FFBV0+FDbar9ChdLPvY/SEGLGS7ekx6aA/PQGQtb/xsk5pylt5Ie6vxL4YBDAxgm1ss4ciK3HfoAZJnQbfa6kkqm1rfAvzr2rM4WH/Vyocakpqxv16QH4AtbX0A02Y4lwMhxTz+8XRFxLOm4CBXYBddKSMKEaW0VCMEl3U3g4e7vPRg2tp+1WxouJSjbejgnVeq/A026j6ZwQ44xADkWjG+4lCvIO0NLZIv5uE3Sb3a4sW4dphqrQPWMaiOmtzxxZWbO0GTnQ5/U2U6DCdyspGjFEFAGOxduFTBMhIeDzWfHLty/S17Hjaxp+v3qEnOs7aMznIzV/LmzAxMp0CVA6I7ehtzbHVNdaY4DfrrNZJgYzkoUG1F0De5in+Bk6g22UecAXBW2sLugmxPwV14sa0iD4IpAvrGE4LwdnGOFAXWunYvOK2zsn92v7ymESayGj9PqH9srL/yaB/RZuJ3VtwLNgPTc+Ly9G6PL3XMInjWdmI9+wIuBaDyWdUxLZhhlH+njc9Bc/rxQWbXHlggrTFQw+rLlQtw0w6rS+avbC+KDpnhhTKDV4gQZsvY8PpKlsmvgN8g6BKrY25JE9sLBMMxmzSbLfIUDGgfUi7BM9p0l4wpdWrHB+rBQtoULDXCWR3LRD4SnyBoNSgXhoXxMaelUVpfOlY105sLLYxMzkzSijQ+OJ1pST1ED+XEnjddcLJtJ+1zIQ5aRZCYDcRr0FGvLcfW+M2yORIc03r/RI/wKTASezuydtMGibUUwBq1jjb5ZDGQEVdABPCEdqBgubDllFm3JdkyPV6V0EoQ4Qq+dv021exQqclentdBqK/A/LJ+h1QQyg7+wDdeC0sJF0EHP,iv:5u/hx1/P7QsLpx/tXceGMjI2Hh5crdguiI30+HJfd/w=,tag:8k5G2WALcjD8S8lZ30EWGw==,type:str]",
"sops": {
"age": [
{
"recipient": "age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YjdYNFF5Q1VzQTZ0WU1z\nN2R6cEVObU9RMXdpd2x0Mjh2cmpvY0VvNjE4CmF5Sm1vZWRoOTFIY2pkQUVRQ3FY\nVEd3eGpCbGQ3cUpvTE9JdjJMWnQvckEKLS0tIFRpZDZ1ZGZKaXpObFhZVlNqV0hB\nT20rRGV6S3gvWkZLUzQzVVNGQWNGVkUK0bAeRuI0vb7MJTtpxuD56nwZAk39sHAa\njEhntqsV9ts1Vbw2f0mZEqDdzd64NTtDm/YIwygZ2udV27mXNhVUVw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-01-19T14:14:55Z",
"mac": "ENC[AES256_GCM,data:tNJ4mSS9ulh3sQ1X5ccoswadbnQVm0+3bbyai486ljw59IBkGbf3mo35Dc1PHZJB+zXoiAj7d+hhY7YGJNz7CJjunI0o4+Aj38aEMUa/VpdO0LX+7xTz+r2wX3zaDYbAI16klElXJ30Z8PyVSoGosbz5DbPAKFED7silxVfiPbc=,iv:KOWA4/+jKqbrghw+LW91UQj5+IWSYx2RSi76ew7uNZ4=,tag:znrx6hMqFu+lykXu3DCHMQ==,type:str]",
"pgp": [
{
"created_at": "2025-06-13T20:12:55Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9HYZO7Bu/PhfIEnzlD9RpDhgk79rSdl9rfrssXOhsXh6j\ne016mp6UswsFuNUCArHOzOQ0wF7QolP/TW4ZAXK/Rb1cTr88JVuGy9UPx5cLHlaU\nZBmhFZjkYYIuYkPgKc/ztcsqGrJ/gqz15hjerFIB2vbcFRKfxN5xwIxb/hC8dWdF\n1V5iJhyTwvITBzXSJ4PfOh2RjfGmytKd5/Gf1DouW1H2Y7JgNSZPmesci5BUYyDd\nkt+rUjwe3FefOfzPVCA7ojfBuNxhU1sLJiEbGqEwd4XkwzU421jOIEzLM7qhUbGx\n0HzPUflTO85acBpwP3vf0NtsJXZyYG4/v81GLm11MEpwt5n/nJaxokbbT8CPKVpN\n8gXSwO2VhIDFWGeRMvfG3NNmwnJRJiSS0FTpRwqt3bF7btBfEE75HTGZq0qI+p+3\nPPqWz3SLMeAQvTqmscGpuIATX5PEDm+knq/D9W903mLeACZEMy8Tk1LDyuwJCK01\nJX687nOKgWfsq0PnhItF5Z1jfSMbJb6g3fH2Fpn6aB9bx9WNARNu2s28s3StE31K\nLtAvRsWNH6UzfO3VHMkphHrd7ARDre4pCeHs8B3wy+HswZxO2FEawTD0Ps0hejNF\nZPI18eTmCu6zuumhBwM72BZlWBj50HoqampjYtnlf3JemhYVysCbwyqou+i4S1yF\nAgwDC9FRLmchgYQBEACZ3fR5HsgS6ko5QCns6nqYfZyR2o6hyKb1iaH0veJEL9DI\n+EBaBJ6+8GPNETMACVz+wGd+GadoNWfgFNcUMz4TobTFGwsjmj5WRllxMtX1RNmf\nnqvMSflKk13DIHLbmsY4bGml0BE/ssLj0SiXOAmUWUZOMT+/+griCs4Er/fxphjA\nN3J+G83Prvynn8o924Ct1Q2wDXCWm6MENbbzts03IgkDHK1bCYVsTQ/ca2v+zB5g\nzRUR6xbi7Ysgco/DwDSu9DWIyNOMnsKnS3Mng/vXPoimlof4xGKMHRzrqdP5l95M\ntx2+/l4UNg5aQms8h9MML7AzVmVfJu3pLM9IE89WjVBgNE5/sQEfg7G7WvBBdfoR\njAHhkHOfZDlEjOnQzTR5MYZ57BGIGhHSOrg+IIX1zYaTNFEcnkfpLIJ71KOSs35w\n0hxud2CzFjxnbknvZP5myrMPwfQ1TJmR4PAWE1+XRMze18wCnXcosT7r+I/yc0mG\nhD1Q2YW0qYOY+AhOgshJ+OOvybaPFc8VlDriLoAqLXY0VaQVBIZGTHDY1SFUI4kY\ngMgmKJsWK0wn05J31FSdXYCEQubqClSN1BT+e0ceDnkioVvbTqwRBcOTXkQ9JFiA\nn65f6Ul4q9/ugOgLmrFiLDjdkmkdOOXo7QcgZrOL68+8c1xIxmhEgKobK5wBUtJc\nAXHosTJgXYvXHKDiZpFpN1gI2Y02tbxAb0Vois+ZZcP8AX0t++tZKARwguft0zr+\nWGhdQoGVeiQkAGXOgot66nGOtq/MtChmMZFEG63mc2B+84OOZBcXf66vsdU=\n=nCdw\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

68
hosds/nixos/aarch64-linux/moonside/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,68 @@
#ENC[AES256_GCM,data:HCHFN2Q=,iv:Z3tD7Hn5eudPR9DuX6etamkpNnYB/NRYGppWdyuUDuM=,tag:tbuWEFDmh4HAyksOZOihLw==,type:comment]
#ENC[AES256_GCM,data:cEw0zCAIF5242UDWZeHCxNHVWQ18mnmaRyjd62orx2P+uq9fiaoDP39ez1Y+wGh1d+FyyYUlh2l4,iv:TfK44vaoHmvShckrn7ztRvWnEUftaMVNNf8O+c70sS0=,tag:/fDK7VrkBLrcWfbBe/A4wA==,type:comment]
acme-dns-token: ENC[AES256_GCM,data:qajr+/1OpVno7yyt1z7cXuSFqjZ4aUW41RP6ww1ZxJ0FhZQxhF8OTA==,iv:8QxdzLc7T803XB0E7ZeVmSLnkUQICZP0Jk1zpoWjdqA=,tag:xERubWmq/vxwFk5V59o69w==,type:str]
#ENC[AES256_GCM,data:XdLlonkGBN0b,iv:wimLW/7+a4MJCVg4zazY0ogakxXjdyPNZmZt0CzpXao=,tag:rg7FEi1qaYMkCXX+dwjFLA==,type:comment]
wireguard-private-key: ENC[AES256_GCM,data:aBQSwDyASfVPhU+5/yT9P99DCEfgt4SvhVq/aLe+AUcXwSqMiI2DkM5THO4=,iv:iAW/OUihMXHoQpX8pX+f/mz2nclj+n/ygwYxx7PVxnQ=,tag:zhlxjoIkfa237RoFNblszw==,type:str]
wireguard-home-preshared-key: ENC[AES256_GCM,data:yr4vO9Bn+3PJheJHbeNRHu0ozCkgxCGuKBJnb/3zzHVQAsI7GonXXQxFjBM=,iv:1r9QgfdLkXCtrRS+/2+f251FjHiAm9nf/Zfzu+CYuws=,tag:kWiXCTfj4Rrzhx+SpSp/dg==,type:str]
#ENC[AES256_GCM,data:u/O2rHXqOoTNpOSm,iv:hqhZC9R76P3sPkpQMximrvcTC15IM99QaRZErC9AIc4=,tag:wc2w7iwtfazlwWpnQJV63w==,type:comment]
oauth2-cookie-secret: ENC[AES256_GCM,data:cbNVAkBAWJCN4fLmkYUFhy8v9iE5fB30hFI3nTpZuVIFCnmXPBtlftI58Zg=,iv:q9xjUDOH9M4pW+9YB9dEYSqEu9gpsezbxcGbpORNljU=,tag:KoGNcssD608huewmHeJOxw==,type:str]
kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:wUTfb0r9d7nRb1wmQEOjXwDTM8V56DmOGw==,iv:OMXiObgt4AbKmovT62+P99r0UzGELj37FX+lqW38F0g=,tag:lksIWm0cSLydTZvlxliXgA==,type:str]
#ENC[AES256_GCM,data:+aP4Jw==,iv:TYiFr6tWfRzWyFq9DO//0SOJ3+Hu4H+Weh5KeCUlD6g=,tag:kTgWC64QIHlwVertJpSCCw==,type:comment]
croc-password: ENC[AES256_GCM,data:c7u5xj4mG222wLPYuKPVh6X0SaoUBH4w6A==,iv:BEkTlLUawAqs6zk309WMCW3DEXjmXv9LHt8mkt8RfoU=,tag:7CM5D4ibgXuVIM83ismUaA==,type:str]
#ENC[AES256_GCM,data:v0/dQUi4gcI=,iv:JXSkXO8BDbHPzxlgnCro5OgN9sMkMQBX7qTmMvf2D2M=,tag:XBgoXC3JCPsBL3g0x9h3Lw==,type:comment]
microbin-admin-username: ENC[AES256_GCM,data:1YaDw08=,iv:hg+zaL5jiEfyvGpptfJ0uJgxygtMBJ6kfCcrAzUW3jM=,tag:HWVTTLwFjV37gRVirIQ4bw==,type:str]
microbin-admin-password: ENC[AES256_GCM,data:+UyWJAsQ4Jd5iJgdepJ/m9OvkEewLKQz+A==,iv:oJPZjMnFJ9Mq4tUUWQV0yf/bBvesEXuWqhxr1s5IORQ=,tag:VX2TwIzTbpsyxf11RtA5vg==,type:str]
microbin-uploader-password: ENC[AES256_GCM,data:20QOWTMLS7iTS/Q=,iv:EuUYcY1l4ykKjWvCA0bpXPU0033jlQ8qjYyqSuLAQl0=,tag:Ka5gWBajMdeZS25AajToiA==,type:str]
#ENC[AES256_GCM,data:ZnMVMv6M,iv:z53BHIVvMUfYseftc6DTU9Mlb9ywEvNHv24TvIZiMFI=,tag:QdeWjrw0pmJsXYobADzA1A==,type:comment]
shlink-api: ENC[AES256_GCM,data:XdfDJMjyhJyeqVB4RKgCdkWT2nYC/Pw21D8H/JzkGLuwGx8Q,iv:zucJGNLX8018gD34NL/BwTe0fPFucqpBtMCYXd3IGHs=,tag:/sN/ayEhUaCPmu6fS+mMHQ==,type:str]
#ENC[AES256_GCM,data:R5mm4WAJww==,iv:6Uyb7Qtl6vt7nur/NLBlrVtKoPkF3ZjXdAhT24HW/ug=,tag:6X9b1zZbpHoEZmaYb9NQSw==,type:comment]
resticpw-SwarselMoonside: ENC[AES256_GCM,data:+kPee07ZmnAv4V0=,iv:gi7sdKO+WE8qTuYb3wbjgmVzRvmF8hd1h5vV9QDx+6Q=,tag:0/azZWAqeXcXCsmx2HkFmQ==,type:str]
resticaccesskey-SwarselMoonside: ENC[AES256_GCM,data:R9yj4NFFeZ/iU8Jwp5r3BwnZDy1eSWsebQ==,iv:8C05b7pxA7fJC1Mh5oAH1A5LtNYhZaZnQfAjZMURGtc=,tag:pSGpJrOy/i9Iq22OQPtU9g==,type:str]
resticsecretaccesskey-SwarselMoonside: ENC[AES256_GCM,data:8dp2FGgoJa5TBy2HFITO2to8Z4xoowzhLrCZVDLrAA==,iv:2t3CoVp/4+8xZvSjuMnq4d4nFugnL53HPv1r/odKGvM=,tag:I5zxggxsNHVovq8bcRs0Pw==,type:str]
sops:
age:
- recipient: age18quey88vge7xytclg2nuq4ncme86dg04lxwczqxczmdchnjg3p0saehsnh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPU0xlcmV5ZUN3N245eGF0
ODRabEJLK1huSk80WWhQWUwrT0ZpRzRsdTMwCnlXaEhoY0JBTGhRN3l1ZmorYUtP
NHhHY2QrTDBFaWIxNS9hYnVkOEVMK2MKLS0tIGV3ZXFjTnoyM0c0ZW1ra2dPWmxa
bURRem1aY203VW0ya0tZWUY3WTJLQ3MKonflaevgNP91G1cVgzoE6/K800kyG6BK
Goe81HCYFfm86pzv5wV3/38j7fTZNeZnKwPFkMgEUueF1kA8J9V5CA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-19T14:13:20Z"
mac: ENC[AES256_GCM,data:XKsR8Gp6UHhAfoOdRozMxoGtdhfV7b6ogsqlqiAfTsuUayVVK6fRIgy5no5jcNnyyN8zveH/QZS1kGpNSY24N0l4gBA3u5ay5fsS0HjfW5b7mNpasOttqCrm6RpY2ZDdTUmsk3F25QEsdc28fajURJKOazZSs78dbdNq1LdJK1s=,iv:TgLuYGZtxx0ZPPeR1M/NgV1Wt7f5V89KEFOpKSjBxws=,tag:I/CGHZcT6n9X8R2EYRbOYw==,type:str]
pgp:
- created_at: "2025-06-13T21:18:31Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//ftUBIqO4dedauhSkSKOH+8elmHe30/Xv2wwAaQiidS8k
J6PTDkgplfBWer/5SpwIVZ9Rgzc/NentDYwIYs4u2ovk4w7uaqCwtSeu1Be+baVh
hHjVUUZu3mbq+9Uwp+hvIavn53tsdAz0WuW5AEqwZZCKJy8r95a2t1BWnNTy6eoN
F9Ihukul26wMRmJxIMqPp8HYKWothkeAhuE67Qsh4Bv2t10XTBV5/Qju94YLU51m
tkq9SfwHlKEqvkRvguUfnUm93xJk1PVxl1PfimhyZ8ch+RCswTFtcLUQvxbbHNKn
nBfQIjkkuZQtP4BkjlLdFr/7N4tbysjYu2aTIP7gmPCSzGs4fv23XNOALLk/N+7s
R+tnyaZg5djl8LmD34MVgx1sHV/2Q10lQjE6fmgV54hjVk5qC536fwiqjXOQyvso
QEiIs3SKnAmp93h6VDHIELJJx4Ng2fNjZ1q6w7fJR1XcbnKPLpfXLc0hf13eoAQ5
jWRmsc+9dL8o32bYlkfbt++R0unJLQ9QMrwqdCH/jv/i6YtJzutcWUZgZPRx4Swh
HIHMlI+bAKGsqIrAFfOIbpRBK537xdjHzX+FDVQ3ld+K9geVwulA1HnVXf8XZJTI
GmW1rqnN/omMr02ekCZil5LrnKs9RaE2VEyK84QfuqwdFFPXXutc2vBuP4jkLuOF
AgwDC9FRLmchgYQBEADB3Z2nHU+08jspiq7l5d8gMD5RfBoHpdNy9JE4bz+z9Mhm
KPu9qNuojovSsiaM9+23oZvRyTKHmgrRKk1eT14BTLhFXWBFAdP10+Hxp8u1hbUK
uGZoMutJtPVBvBYaz+TmQoDaGsbYULfkc4wisOeB7pnbxLrm6N+uJ4eVHSvf6H2d
nHFvgFMTXZwgIPI4G9qg0ygcYI/XwbRssGtwmKHpqc4Xmn5Lg5sVJE+/gkXdyuTj
UEQohQfdg7O6iIWq217DAZpZfKZ06dL3RFkYYQP5R0kCLtKnJOW2wDWMiLwjzagK
zXfNp1gbymqG1gOkOE3sSV09cvSH8YdO8DbWa6it4H58XCnVtnSm4iAB1dLxgOz5
vwcnqL+9TyIY9VmawoKtjXIXNTnkvRAVEGHVA+zWocmfrvVyxhvlfjV27L3rqlAP
Ambv8nzjHkq5r/vpmP9Rb5oR184gEVlXmrb34hCpJrh25cXGR7tVvFTVpL3/1CoB
kJ0KkKpDpgaJV4zOeqC5KAWomoR4/eeDAg0977umWnw2rqqM6QNgkcbD6G+h+jmQ
owoWb8LMXNKEEUIvEyrsD6lYFJ6y7jmeZEiHLESp4gHm7TE5v1ROR7fPqG7bmBvC
/NyiLd5xT+iOtBk4JCQdHD238tT9EO4RvKToe01TJKuGygNjLjkiOpo9ZrxQT9Jc
AWaSXNBoAXBnNCVkyJCTzK8ejPx6SM1K85q/Micz+eidGKr64ZN2GF2dMSdiwwFN
YbUMFxVF/iB9++97+Ax1GrI4WnBsuA8cz+hTSdIM7GufLJNX73XkOAnK5bs=
=8VK2
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

41
hosds/nixos/aarch64-linux/stoicclub/default.nix Normal file
View file

@ -0,0 +1,41 @@
{ self, config, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 1 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-360e1a5236f034316a10a97cc703ce9e3";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
isBastionTarget = true;
};
globals.general.dnsServer = config.node.name;
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nsd = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" ];
}

121
hosds/nixos/aarch64-linux/stoicclub/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosds/nixos/aarch64-linux/stoicclub/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosds/nixos/aarch64-linux/stoicclub/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:4C3fdXBKI/x/7B56b2n6OshGRaGgwYc4HQv4CRgXi+Y83hQj6wfbcqA55Xm9cXOfGAm2NNGIcUrVyuGHKlur7lUkvoNYe+a5A4GEkXVxiAoJKGcHa2nqfmR+GQJRAE6gNm9wgUL24CfKonEb09NgFBFfL7srXtkU8R1TMduUiYvzH7eNy45jQnWdQ3xgNYkb65iIZ3KCkcbjKrlOtN1Qu8+PuQmMl175gUVJcaLmpMgsz5IPetyHUWIkmqjgwhim4CyTZGwOaQW376Xq2mZUf9IOhdqLyR8GcKFLsY/GLDzp1eGfx9xUpAu3NMmjblHDdIyRcv0EjS+Cj/EUQwTrw3R2szXAb1m33sIVyloGT8RyVsu1J+RSIQOEKpVLaTxsCoulIfyBj5h9vajMVFdMmyqAFPJTVF8fNmy57VuBiDR1WYY5WT2QkBwe4A5ZZLpRmudeZAqEjD+R8Itcin4Ce8K4LtkpfLZeCUpnoaWk1u0CH5QuFCyd+s2+S2DBnFqfBmhTVzEtwXyd6zEeLo+LGCh2Eu2XwYi+DV5Xfdp4leTwEXQ+63MB2ZtOQkoxT6pi/w1rSlEcVknJJIc0HRhrRSx685i29qmcWGfjw765ECxCM2RKJKdwtYHwyLQGyTkGgzNlWr/EzskD7wwtanR0K0NUBS3MGbBaSmeI+bJ+B1ld2n7Efp1eg8AdMz/VHywvFQpS6HY5ItPCWNcDB9DMerUQINO1EtP1Dd57vafzQGGcduUKW+ywuwUdOU/XTXPaVP7VWdX9EFIlv/RMK4UX/l3Yy/Vf6iciT45zouIgoFECRe59Uz0185BHTn9xeE9oYGiLfKzlnxhNpXNaNmYGVRxKxKwfMNrA+hRtuoGrD0uE/Ev6F5ytMYMZGsQ5D6TJOHXPfAVWo5MzPA1Q2dgoCF9zZvYgCaOcSZTntoJY9X1MiwMkYIbtOtTQ4jJOI9DfXX+kOp/fejHrQEyAasCvh2zxCW2FjMckREdqtYxPEDsHGc8+0BDGgj+00a5wC19U60jolvdLsUwy41inmirgxBMaQhuavMXEpFXT0hEecZfJn8eJqPVPDVLC8LvlB+C593ByHeoR3VOIfFVv3bgCP+cQudAR+U/b8YO4gSpuVV4WF7JXLCwRCi0Flw7EzAuhuR9JYd8GKUEDctGmAYiPy1YiQCLFnAWmZvHQ2q6TeVDTQ5LPmjqM1b4iqoqn3AHhMu9HWswy4LFNujZblSo0hSHRZ+2P/+Xjrgfz2d3QF66ngEjW1tanw7hxGmiZJXXyPN+2bdB04B8ZnL/gBzQ2661fGYGYCBU=,iv:mU4ydooaOySi7MTe+b/DGfs1fzpDXbkASUo1cDsh4O8=,tag:Jh18+kJPLJFlGx5HymywOw==,type:str]",
"sops": {
"age": [
{
"recipient": "age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzclI3dlQ1dUY3WGVYL29E\nSGhZV3VMcm5zYmRsTHVlM2wvNFVyMy9CRlh3CkQrZEIvMyt2TVdXQUJJT21mY0lF\nZU1oakIzOWduU3pNeWVvcFMzNDBFTTgKLS0tIDF6YTROOHBjUnBkVklPQjFRQ3pX\nQWtlYi9iOFFjNUFrSUNMZGJqT1pTVEEKFesEHZQjpenLp3oBQwxDcMv1pEAReXQs\njT8ydzfTuvIP6bXu6lcJe0J90NVZ36qBZ2fTs/RqvZbvM0oufb5/VA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-01T12:12:55Z",
"mac": "ENC[AES256_GCM,data:AhvfUvZnKSnhQCTHJpqs5OBELhGYv66on1+kSLX2lONyTbNfwHYsJHII4zHY+bS5cBkZbjtzMfJQkFWtDbU7c8wvdJnHN6H11MOEzC+GfI3R7UzwzJsUjNYE03u8FJCuLvI1SO3EObiKIgH80MV8qlXC+1+f7mKnfZNH8Kekor8=,iv:pAEz8tDZzaFee1EcNBd6zrl0yN55ywVK/eGof/B5MAU=,tag:LbjMr3rOb3By87yOfUK/3A==,type:str]",
"pgp": [
{
"created_at": "2025-12-02T14:57:22Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RNM47rdREvCOPQ83++DSlGWeoGlVeFvM4a1og2Nkzoq9\nLKsZh6bQP2SC01UOD4UDKBcT7PoQU86xePjV1ze6nejo+L0twrhQNT76jAw5OhFh\n1DkOVnUpcjZE3aBxDa6g79qVKfp31i6xfvgjipF4SMGpSlZuMLKL+nTL1357HXU+\nzQKPwSLymDq7EdxnCUwTGx8rVI59j4hyEwinxZhbQYiiHQpTQ3AHDu3oBO64daPh\n7WEmMShU4I9PIdvie7sRK3txZTcjM759m9B3Fm+KEWZXO/bQXjy9/Kab5WlEWwFK\nP7aHLin53wc6HMZjset3o61i/FPeQdm6IVoUujjuSI6076OqsWv7fQp9NApftCko\ns0yNY0RMgRpOQNho5Navr71eH6X8QujrEkCGzVqHm16issJUJkw95tlj9q4qghSn\na4RCUmgfToQYvL9ahNTfqP2S1xqI4hbP0elBXbrMUJ7iYOWOLwEPCgmuoTyw+RXD\nA5P/HDEvgnkVxB4vdzfcQjgVtR01nG5rAcclec9gXZg8Q3K0b+MoKOhdvTucRNek\n8+t3XEzTBBjPdaIhW8038qbCueuetsWNjb7B3Km/muQ0CnTzQ45GWozKdDC2qB69\nS9z1KIn9FrmGxCd5hrL9fbwJpisdtOD0foQKoD6X2B+h9KqORWbSGLXfxRo2uBOF\nAgwDC9FRLmchgYQBD/0Y8owdtA5dgxv6W5lej/sT7+PSc2fvIQVQvvYTrT2wJxc5\nrTX49HtIFxPwGdwBHH6Z3oLZjojpX7u8bm9+ewD7sOsvC3PLsKfrvx3naUnEZrww\nzKC762LWiYS3qlFR1QAbPWDjJSi7rDqFkQhGMP59MDOifYOLCbSQQpdTCMYC550I\nmljenkA5nm6sdYnHa54hkyiWzGSO+pAv531X5GMaTvHB3+Fy8QA5o3/+ZpNtVieG\n8RAbvqeH8PyTZsc2GW2D6WfudB4jrhvYBio4T8+5/3Fg6pWIq4pmi4o0F8I8BaAi\nuL90IEtSeFQSytg/EL0JtFxMBy8ImlE/SAfM4Y6UZAbiWBykmrD9TM5IPMUbMTT6\nxwfhcsQ97m9sRT2TWSrxp2Q+k/BQxVK+AbOaxEtWqqOUnWG4sskw8DQ+qAU5v0yC\nGH46gbklEYDmvYMY/kLXSK4iYJ0UmXNhB+DuM0WihQJ22PUPZy6YGWjwPgxjoYXZ\nbfoRjzb5N6etY/W3QjGbzhy7H+JLKXZbq+DLtH5A3Wya09ilpf2cy6FWD+o857op\nKdfybFtXZIBTZWjRQSeLOL+a157M5c6MFC/xr7E18qqL6xl6v3jgF05SZ72bcGVG\n2zvTWnAV1Y+oH8NhRb0i2uyZCEWvv8MRrHJFypcUqImAJylGnYu8lwicGXA9C9Je\nAZ6JqTMkc6Ji6AOzY75gP1lPQNv0HrIbE6RzZyAX41WDB+0okERps2IZF7HSb5/7\nVAXUR2QRmqagMf/qV3iNDQS/kuwGiv/2WTXAtm4446/mpdkaKf+gN7dgcJf84A==\n=eXQe\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

48
hosds/nixos/aarch64-linux/stoicclub/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,48 @@
tsig-key: ENC[AES256_GCM,data:E6fpwErUUmyLbtSyCItzLxvrUfq2UPV//5u1VxnMMn5+TWj/PMuwjvmClEQ=,iv:KJrXIgWMMcs7riIPotAK+Qtj94o/sGKrgi7sOxVs1rU=,tag:YAyz9tEf4vC2LnJV56DMpw==,type:str]
sops:
age:
- recipient: age15klj4t7gpfp69472mne4ue62pp6m4e04dmjyw7yf30qtqd3vl3uqjmcyxm
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMREU0eVFEbnRaVEJlRG5L
QjhVQ2F2WHZFaXJOM2hsOTBPMTQ2ditVMXpVClA5bndRc1YzV29NUEorSFNDNUxE
eEFwMnJoMHhMbDJtY0J2UnNIME1DRVEKLS0tIHN1dVNLWGRvbTRsWE1rT3c5aS96
VXBRUEc0eDlQOXg5YlNJSmhDL0ZiUW8KvzVC0PMvMRjBaAS9WhpYvsWc34coUupY
aoF/zkgPmPWj6SY1vURpgUHC5FHolHL3DYQS/SQxdOXSrXIDxlIJyQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-28T15:48:32Z"
mac: ENC[AES256_GCM,data:Rd9MTRKzK4AaqzPBsxztoY10pECecWjHZlQAtbQdzzdLVe2TL8hIjH8TlJ8Pju9nmS5gvb/gB2CoaQZcxJsOvYsEYVg27+B2/ITGHslkbK7ngVd8ARNYITbx/eGp9D6VIYIzPBqcz1TkNvtPIuBLZzjCnxrvhA4gX93ZEEAUknM=,iv:Lrhi7Zj2IqC1ApsRT0IwmhJHaHf3dopvi7/4etVOBuQ=,tag:fSTaLrVhJd9A87PsPV+z1A==,type:str]
pgp:
- created_at: "2025-11-28T00:26:23Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAhPx3hRyNLnIXwbGsjD6lAwhdqhe1yfJikB3+kWa+vaKC
/WOu22h0HB8cQwzeU6+LKeieuy70fEMcE2EHh8HjTuAIoi6kCDFjXA37pEtyIKaJ
9uAc7EBNPOcv2TzFEnHjJXlMIRX1M4RegiZpOiZbkVkJeC7lJSe1mQhvHEqw3wmT
7ye3ohDvHB7y2W040AD5wymntNOO3BSxQJEVPaKo7sLmbkUSPXRCBj7H715dHyFe
jf6nWbAElfUVM9oSK/TiYZwVcZv4/LbexAivRrlkFmnPpQMTrTeafS8r0sUtOoDn
8YKuBu0JQMVFJpLA0hUrH/MIkEalbgv3DWsC5DoEEni5oQY3vC/bd0nM7P0hETop
wGFoBHM/kvGK8AnhcRmWy1fj15/TNrzF4uXn1Xr2tOLFrlLTor3JKCqIYTBWUIAl
Ve98SrZcvEdZKRqQiRyAXueJ1S4R60pCtTp6AtKxc7RyJuw6YM3VD3jcKBeIWf2l
UZr8yKfu24Rhy1WAe8+HT/LBzkB6/RKacBtJZVd0Ffnp8Cjaid3BJN3OQTLSSRCc
/t037ctWN/nSC8M/P6F/ZbSN4xEHRxT75c/qGpSBaMJgtwlD0wNIBCS9McuYD8p6
e74KFlmm4901fytpHJvrdeQl6IAJCPV80540z3N78cdSxfTOF4Qj4/Dr4Flcp4CF
AgwDC9FRLmchgYQBD/4vX3zwM6MDpwW7+zeKrAgXYsHjIj2TYz8EIJ+bIH5/sUPn
F+o8kZyVjAc/c4AnKcCyWz1aYR47p9iHnk7Tf3mh8+MzZ4LCkuZjKmYjlfExd3RI
J0upRtTak4M/k2nxfVnosYwwFJhUnJpBlIt9DIU1AcDshAHnAOOeysIsfV7ahNQB
iYMvk196d+2HGdIPFPIG5tgJOFqamY3TtHrPmFx5SSj1ep4V2IMPqDudZDoyMscn
/8dYZCgnSFBDTFY/X8ngftxaXsdyRE/0QJFjG+c2M6G5gkccfpxkNU0toAwz3m9p
hS3s2YYkrMem/VdkqEvGW3cHnmM3ZHAttrfO49z91nmRaWDMm2ocl4CNoAsiEmc9
/pQN9spgQGonDLM/yMpiuHEZNT8Pv+1YDS7kN2FlHuodsTazAi2ZoMDOrvHQhXkG
9mS8fgVIJncthfxwbswjz77OZo/zyF41WgYzet9Lr8g7RDegmA+nPeFIJ+EVDKXH
o+KMJVbRrCiGnSvcVtBXQtvhcuJLe/LWvXbnsAo18+HPqA1PyaJtuMgc3dihuddV
KXGtDIpiy7UFw5o2w7Plqs2T+N0wQI2MTEkKS/TdWVO5zTMoI1uPE+b5H7z56Cnj
Xa65aUphUxxLMN9rbVXBSfhTyZCFM+nj7fY9pFmoUgfhKSZ83j3w5XlVL6bz9tJR
AUc8r4d6z59EE5vsIuImiM7/jsSudYewau2wnMuli3FmYISiR6kU+bRBmm0nF6Q/
Kqt5nLxrcGKz2ivRxU6Hxc9D4gRaekoTkeP5J0Cr0IYt
=D/qK
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

86
hosds/nixos/aarch64-linux/twothreetunnel/default.nix Normal file
View file

@ -0,0 +1,86 @@
{ self, config, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
globals.general = {
webProxy = config.node.name;
oauthServer = config.node.name;
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "VM.Standard.A1.Flex, 2 vCPUs, 8GB RAM";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = false;
rootDisk = "/dev/disk/by-id/scsi-3608deb9b0d4244de95c6620086ff740d";
isBtrfs = true;
isNixos = true;
isLinux = true;
isCloud = true;
server = {
wireguard.interfaces = {
wgProxy = {
isServer = true;
peers = [
"moonside"
"winters"
"summers"
"summers-ankisync"
"summers-atuin"
"summers-audio"
"summers-firefly"
"summers-forgejo"
"summers-freshrss"
"summers-homebox"
"summers-immich"
"summers-jellyfin"
"summers-kanidm"
"summers-kavita"
"summers-koillection"
"summers-matrix"
"summers-monitoring"
"summers-nextcloud"
"summers-paperless"
"summers-radicale"
"summers-storage"
"belchsfactory"
"eagleland"
"hintbooth-adguardhome"
];
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
nginx = true;
oauth2-proxy = true;
wireguard = true;
firezone = true;
};
networking.nftables = {
firewall.zones.untrusted.interfaces = [ "lan" ];
chains.forward.dnat = {
after = [ "conntrack" ];
rules = [ "ct status dnat accept" ];
};
};
}

121
hosds/nixos/aarch64-linux/twothreetunnel/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

15
hosds/nixos/aarch64-linux/twothreetunnel/hardware-configuration.nix Normal file
View file

@ -0,0 +1,15 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkForce "aarch64-linux";
}

22
hosds/nixos/aarch64-linux/twothreetunnel/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:mQPfK2Dh2ACae0a+1GRHY/CV0JpHH8JO+td+RR17UXyq5v/OF6YDfS7loIpQvImEAs6AvIzIdyq0848Fh/34kh/K2ZAq4AknW9jQx5YyP4nbk8/q1/dk+95c0u98WnN6mw3BFHHesKYCfGy82GMnu00Ffxu7WSYzTKxq6yvROS7ugefRjsoMsuJcEeHmoIBgEIjXntGT4DxJjw4RhWPm+unSmce9SXfqbAuuizHm/S5URYvicIzalSITlfFBrpKWNxNe9fC2etDb/fB+uMpG28rmB98ov1W0X/W3JOUhASXVhB+YCau8XdIRPopEnkR4Wm1HD+exJ3CToJMgrdmv5Cj9rJoFI0jvApRpjBix5qDrTsbn3iWbv/QYuCnL8ulXY7nYtkmFjFCG3fLZ5G+6EVE+bZnh2V8KYAVM9moehNJ9Or4kGST5JWnIizFvAeeYef0xZtBMwv36Yc1JNAh3zlHP26lcXew+Ulxxcv07RmmV52jZMfWweyg4nXNumrbmy/GwingIhqN8wHrOD3Tu0HlvqmX5C5YRZg5iVU4lnAjKJc6XRn7B1GQzKeyE9HKagkrULQKGmqDlqEvEAp/9eW+rTR2Yho1QStK7J2RXFnWwpE4PH3cIfHWtwIv67yw+QWqj+lXMztHaX3RIRXGLyqnWtaLjMG+IIYytzaBt,iv:djDts0mzoVU6Cvf8KJb01CkHO+OrnIJyMhTfgJ8lZEE=,tag:JiZ2t5cBfSAKG0b1wAZCZA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdEhDamZTRUhQZFNDTTl4\nVVVNNGZXa2h2THVzY0JWMjE2WjNJT0ZoblV3ClYzeEt4c0dWRzlISnN3NGthR21M\nTEtDQ011dFdhRVdPWlpweS9ma0N3dmsKLS0tIHFPQzQ5VzkyODZyY1JpcE4xR2Nl\nY2MrSERXTWkvNVZCR2xHUGh4ZXMvYTgK7pxPjnh3idl4QzBkR6LHyRskgqA3apS2\nkbg7As6wlEs34TAO8reyZknKTUd3Xif1v9RXiTcu1sEKHqkcqEoDog==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-30T14:45:29Z",
"mac": "ENC[AES256_GCM,data:/hfp7IopUWZSMequVWcpMup9lM/e5G3Qda+8zz8ecPMdMrbUqpzi43QAbiTvMC1Wa2DKWFOsZPilClJQfG0MMEYD4GWehd2C5psK5HOxS3h9pjE/AjctaCwu8RB71paK940W6NY8sCjOi+zm+Az4KDwkOl0R3ApaUMofV4hsg6M=,iv:d5Zy4HXtoSfRN4E0FHjT2vIWMY8k3G422ygVAZ7gXrc=,tag:a6UZVjb9kTj+8FZG1FIyrg==,type:str]",
"pgp": [
{
"created_at": "2025-12-01T23:06:36Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ//RhpX1uVa49yA8FIfj/y/2C92Z7iBl+l1TGjaYMnuLAp5\nYybqAHwi1gzbnhKvpqO3ndm7qHNwbPBuYBDhu1ZDkQnzyzIthx3JA2G+je4Jem+N\nF8XWUglO+lEUpHD62s9JdOSS2dNRHSd/mcu/GV+k0/DzkXDn3TzzOciKBLn1u03+\n6T3mipG5cm00EEstR+iX46FSzOPX3M2+hYY+HY9rQa1RKUrUUsBBdCEYWgMsQOA9\nDGyweibxkcyxIGZIc882gxa06QxM07ON7NuZjW7vvUz3k7CI3bf5IBfaCvDywaDL\n0AKeTAVGVLnzdapZoP9lZmu6T639wu8BKMxSHiGeUenOrhs/Gl+CA2iCU5XimZCw\nbwPvKRbOGLu2eiBL/BHEMg1XpRw6bh24o3vNIchGRqDKbXICgkKr2gXhvli3qPrH\nCXokXF48e51bERfr9YWi0ryW5tgVEMwyubRi85cYnslwqfT78xzKMNRwF8wJ6PxG\ngwT6bEJ/f7QzXkw9VPY2HbaBBhe7XUBRDhLnV5sPBiZW2JDOt9rXH1LqWQLo7Ot6\nLWvOicAtmY5vnRIm9x1pPFKipmTWj7NzRCLEq5yt0borQsPO5RTC6fvhL/1Lpe1B\nzjAIjJBfQptEn4xjA0unZk6x45UDp9KpJz5zdKF43DSvGOkEF8NuTdEXNpeYHzCF\nAgwDC9FRLmchgYQBEADA36phB2C1d2DvEzi7AB7lK5gGExmaYSCzMJkSfjNQ4SO5\nwMhvRZZyIf5PT9wdJ6hCtOSqqhh0cubmZadrFnz/qjXLVSv9aTD4PFshF5lYgT0x\n2GkiIOkrVZ6vuP6/iIW/p+CqztDymVRR6DAhNNX6gx2NARdhii2K/hitW0QejoJk\nWY07qUIb2z0fPVp5TfAf3Nr87u3faYr0usW8GGABFA7IzJwCK1VA1284UZm4zj6Z\naHm+0wK/1g7Ck2sjzbhqzK3HlZVKd6lBIhmwdzcG1y0Ua5L7PIauLR6ArZkFD3WO\naHyyZ5hyNmoyOMjuTvPCIhiZ3T+aQK2f8pzyOApEWX4piCNhIvcSSy9AQ/f5hvVd\nWLG68dIMnmOWYxHX68jdNttSCcc9oJKNboOPKDdmEblZxGx5HZpYYL7X+Q0JKoMO\nqCXVc7GlIVLX0GghAvgC9Xww8XMQTWgJJJAVOa0tlTDJ4ybvCiyy850+ZPTevlHV\nfvlKSSCGHtjVIuZ5b+jMtBqg0aPDY0OqNFSvJ6x6wk0uICMesv2LNAKF7tUkMvHF\ncHljW96IOLocW96bwVR+nQG7U/ZY7/P6+2Nva8AgbrCd0erEZ/2lIvRV4IEzCk2g\nVzuzg+7pjkh1iHYUX+VX6CbyIPyx2Ic+VNaMrbqtC1YiPK6Bx+SF3eYHw9DYJ9Jc\nASJeqALtG3vg/TOKZwOfTp1GNvSExTUKqhEHpcCCty1UxIpNCPByvvsUqY0Q63DA\nyJ4TVO1QLCLwKz8nK8NWSRGrZ29jNJfAjcNDV/FrPiFqSPHVAErd4Vnbeu8=\n=Yn71\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

66
hosds/nixos/aarch64-linux/twothreetunnel/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,66 @@
#ENC[AES256_GCM,data:Zj552Ho=,iv:uOiDvsLPsT3D6A1SLgDl8jbAyz5bK8s1h7mIc6WT10k=,tag:rTD510uyO65F/qcD/UTUpw==,type:comment]
#ENC[AES256_GCM,data:a8v9FPS8GcZOyREs74GhUpnAZlYF9Q9lRU3ZdsYERajtDiGncywKPLE61PlnH8o/h+QkkWjpsjy+,iv:Ck+7CaYym5fT4uy44b8yLw+b1FDvvjxrxql3ed+B2as=,tag:sb7vA0tVe1G+TDcJLhQ66g==,type:comment]
acme-dns-token: ENC[AES256_GCM,data:9AvuFB/nYm2H6JK+pKY0wD658dHGZyV9w8B/+PeTKb5PkFJGlqdz0A==,iv:DeH3sRv9hCzhy38jnXVeGlAbUeXWOwf2avdINWuhJb8=,tag:jXjmtG+uoTonlXSSKLkY3g==,type:str]
acme-creds: ENC[AES256_GCM,data:X8qOlnbaQo2RE8MyMnI/1EsyyHl5t7TemUTRYqhuHGtFP4mK5+obd/S+VzscfVJqPkCY/faGAQXtbI7x9ST3AmxiCZEbuuV85OvrM+lz5muV16YNjovPxG5BsjI/ZzYZ2V7H9CiUQLvoZ9D652mvwA10wPnKrIpZ0Z8TFeC6vFx8vyin07IOQmNnfanUVMf46/axAR9KM9ksB0uJfsEo8WFmt5q0sfXRRe+qBtdgPgvn9ebeU++Tv8JpHTPSIoagh1PslabrsgNEcM8H4kzIsOly9uYmYCZ7X732vTKLRvimJ64+MLWw3+DCy2eX5sgrSRZw8r5F19P6a+gGBTy3TsW+Ql1dI468fayltXg1hiy8bD/WEXaEalaB2w==,iv:DkX6988ls3nc5aoLP8sQOXR2alXKuogRAXCtrj8/pVs=,tag:LTwZhUWgXfbLg3YxQGlZZQ==,type:str]
#ENC[AES256_GCM,data:/+idD/eetpnX,iv:NNXMyIt6uUfT3JVU9g39xjUL71cw5UVmESKVIf54tqc=,tag:pz+D3tUk0gWTfAirJGhlkw==,type:comment]
wireguard-private-key: ENC[AES256_GCM,data:m8fL4Y5TusV4imzcVqTmJZB0rlb+ndoH/Bl7KvbP/7awfR0FyDTmt81+3aM=,iv:qKT+61HLz8q/0T0nKvnV+wap/cvjss8THXupPNlotAE=,tag:cKrRuJjhVYdEWfrFEhUKZQ==,type:str]
#ENC[AES256_GCM,data:IpoTYZX4KGjPA+hZ,iv:Hd1V9//M1f/10HQ7ZEEA9ZtuO8EBtY1kn3n28krYxpg=,tag:We6WirbRgSH1qOjC4g7spg==,type:comment]
oauth2-cookie-secret: ENC[AES256_GCM,data:ZN44Kdai0hUgx0GduynlyMHDnZpdnp1SPAGEaNaNFHGMhM9Q5HPzotiNXQM=,iv:vsYhWriY5G4KLiJ12MLm26B7aBzCL5GAr+S15klH4Bc=,tag:t+MsS0Wgo5papvoeK1nk+g==,type:str]
kanidm-oauth2-proxy-client: ENC[AES256_GCM,data:a90dn//LD6tvDYGSNT2neorQRfo0puo7GA==,iv:a/R6xlwGdrwJNc7qBoo0Zmlh7GkZ1+uU+RzOxRE+okc=,tag:3WpAVThFLXZFsCIl5xM0IQ==,type:str]
#ENC[AES256_GCM,data:vm48D/CiRtw=,iv:7Vs8SfqqGEEU64ZqF3uvFIG7DnUfOT3kGqodiIbCwjQ=,tag:hdNZZUMTLIrAGydGSFfP5Q==,type:comment]
kanidm-firezone-client: ENC[AES256_GCM,data:YD1lkGkg+HxqHrGsbIz2GRq/VMIJqOD+VQ==,iv:AJa/sVAC0s4hdfvQYf+/NaYTJaxO0fdwzNmmD7S+kc8=,tag:JSU6aX8kYbr70+YYwRV56Q==,type:str]
#ENC[AES256_GCM,data:XS4Kqba//4tVSj8AzyLY19Milwl0w7UkTM48t8m/wyB/P8TgDerxJwOGJvz3uLZJX/EO0/4rKminMYSoMybRnNn4TVv9pa9uV3JEkUsGkFk2abMfBriAQjQgziwLbDZQJmnJs46YD5s+sYELN4MJtwFNg6NzEDATDMWuE4+loyxoqgF/lzG3OFGkDl1R2JkCIOU6NGRqTn8a4XpX+p8U5QrY2V4iBCXajGXrcqLfINYW508feq1TAUZazaNdA+RC2SMvq6Diy8mysP1p/5mGUpIATjmoDqN74Yc5uZAwaenI6jIsfcE4JP5lFy7dHWOfTQS/9MCsEsRN2LWuP0ivaKOgF79ykd4Tb19EACdhpkip8XV0hKHJMuyEr6zJ23dUNtBE,iv:lpA1sk5y4tSk6iXAjArtF4piJW5af3+tIwMos1BpPEU=,tag:479ZIsnwkSSFq+C2a0jHzQ==,type:comment]
#ENC[AES256_GCM,data:XeQYwDUAkfNmWcM+jdPdfHSD9AC7Kn/mWRHCMV96AIws9xJq51+XoR2cmiVmLfeE3eQWBB8KrCvML7oyJ25oBjFvFjjH7BrPhhrNiVc6D3JqjtV4Mg/5GTTCsdSk2aTQf3/UIqclYw/kH/ofMRa/O2ujkAeuFCZrM/2+DBlkLqTehx32MCTM6SDsEKrU4tBjp814M4QdDVgdDdLziNDwYgzyGSaCnpV4dy+RgWKKZYElGUIm2QltibV6CLS2iD/HiJxyY0bAeZzaS8fxVVDugg33BAJ5Ttzc7SG7mBqj1aslflK9N5rG5d5fvLN6kMJizY3KFq61zU+2CDjPmvCLSEO7JOS5UADrUOEcbW6bfghRSNHjSMZkoo4+/AZPAsnvv4aYaA==,iv:/dVcnaewPEpSIa2CzVCk4XpUcpRdj7xYkOk/lEyjWXA=,tag:w5w4xnzdkEBwdpVl/LdFdQ==,type:comment]
firezone-relay-token: ENC[AES256_GCM,data:c4PHNWORFTxY4tHp3Br0BWah7vWbFjfuSbql+hkW6nfRyQt9PAxYzdXlF9ArZaXH3073HH+uSBC4Nb7h4u8chhw/14uz4zFZfhJO/YuWxdcP+fVcT/m1zeRr19YiXhFQPcCdqQV8HP4SMZepVJ5WHsQT2DVCmYoeHG9ym09i2nW/JYC4+Gl3KBKG3XgW7gCNW0Ut/CXCg/rxoupHosS56qB6PIng3O+erixugKy/AcHfk4Ew9q2uSOxovCCI8jfWRhSgQtfSV++thwGOuVphwbxQVtetFrgp6xT/nMROWhszqXRHEE2wGKWACrfyk2f77RfDrJE2BzTDKgN8CV5MLJhl2ULNlYRZ8jg6GOM=,iv:8TP4AXIfdVK45bTQGlgmKaW8bFAmd3E7b/ZDetzcwz4=,tag:+N7zOhgMZbdfU3sWnb/Hlg==,type:str]
firezone-smtp-password: ENC[AES256_GCM,data:WLj+kcidIMQIP6gPuuIrujA+fHypUpGUFg==,iv:kg96vVaGund6HcXoJltIma9ecv6tK9AxZJf8n62+9aE=,tag:g54wHPhD4qnHlKZQd+MPZw==,type:str]
#ENC[AES256_GCM,data:aBNmUs9ZW+h5fDMVKdW3WQebJ8zmbHuYmNK9slZx5tZONTfnfnFRYjbzyqFTBKfC0bYjzLYL8AxXiEiPmBo2yLgbXtsOrVMoML3hD9Oi9T/7++BUBpbBQ31cC/EtnALumpes7+hO3DULm5tzWYc9qIz3yB9/gQzuKCqFOB6TCt/PwAKrVKNbcOihx/5xh04s6WyqfSUjWOOcHSY/ng2G7NeYRInLe6TgM6gGQGe2DjXCmNvgxJV2Mh78IWs3yA3aJ9VtrgF5R0PGoqHHZ8GfRZfYn7MBSW2dHztb0oLWux6bnO61Wnm8iDdR7xguQkNXPO0XXIIIO6AOL9duThXYjwQmieqYEEu1BmrvaQ4/tslLHX77axQCm1miwmZP9DoKor3yAziCBMa/pbU5JFlft4QZ2QGY7EreDfBVoDcPjCgA+gXuvq1VozPTiRH+y1hiulGlbGL0TmA=,iv:nsXYOxnWGceyB0aiv0Db7H+oD4hagzwQi96h4mGWD+o=,tag:n4p5Aoh7lYvCRDWRcc9tbQ==,type:comment]
firezone-adapter-config: ENC[AES256_GCM,data:CPY6DPFJ0OZRJqY0u05rAoc9gfCvHY8fFXkSyKvC+VdjNkC4LwjSJkaBU7aBAyIVsLrLz7cS52fcFfwdnAp/6V7BUDE2qpRdpwuN0ZuTMrnFnmLIi0jy4JXcU5niiClSfulgRfY9Dw9f8oHdYiu+uziVhDdjThx61tNyW+OVMNsKv2avWKqotM/fhBf59hJDS0NwaFi10X4X9Z0Oljd9mHQw+LDJkSTX0dk=,iv:IRn5awskI2mZCzQka6VFvCaNnYATvj6yMH9UWs4vJus=,tag:3gbxkbfwS2mNLkVK9KmTUw==,type:str]
#ENC[AES256_GCM,data:xZvu7VeZ8IVeiR94gfJR1BB34V1z8ou+YKRrIxlK+qJ8idgzEKXRiWCcdwC345UNIEuVShI8CT7+Bno9c2bllkkKwW4RhSEnMOYo3g+iouKB3p2iwRBX+OEZuWbpoZGDr1KpHLP+ypiTekNOAZgx4EmxQWFL78bBMswoPn/Tv5ahN1Gha75A9iO7nNQgjRIn62s4l+U1cMXDBBKUCIwcfg==,iv:V7G6wGFjSoKNGNuwW4i2U8+zKI8AQm+ATbSLls7688s=,tag:jQqxbMGaJ96fHvPj5Y0CTw==,type:comment]
#ENC[AES256_GCM,data:td0zw1WORHtMvBO7IK06Of1PoG1QTMiDeJ8KSa4LpLrIgOPTdIg9TkU7UYPNxFD1bVGpU708Rs8Skmyz0v4y9S9H6PM9+4fVij5GN6uaLH/pfMXzaArD8SHbppYQGgpVqsq4kJ+sk02yAjvEM4BBfTpOEPgnu1CSmwlyjw0ysrCwq5YLOYqAQa9rT9uiVCL3FYWuuUzh7SPuRaZouGX2m/MdtQ==,iv:uetwzIK53P3ja94Jw/QDnrel61ducf907mZwB1yy6cQ=,tag:89IjmIvEQs7ayBmuvw3RFQ==,type:comment]
sops:
age:
- recipient: age1g7atkxdlt4ymeh7v7aa2yzr2hq2qkvzrc4r49ugttm3n582ymv9qrmpk8d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNcDZzcEJTNE94amhZSEZk
Wlhkc0dXY0d5Y2Myd21YYURORlRnMDRlYTBzCkZ1UEhzSzdTZjJENzAvOHJBVFRH
MDBMb3VmTGhnUXhRRnpYS3p5NE5HYnMKLS0tIHpROEhpeDZQYUNJMkExTDBsNUh3
NmVFamgzKzRlV2oxS0x0UCsrc240eEEKByZ5WYf+QO8T43VLfO2ym4x7TQltS1nS
ckgZLorWZBWQg2vAwQktxQ0WTcjhM6tktZ7zgCIzKBLbQXtSt7VG9Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-02T14:04:11Z"
mac: ENC[AES256_GCM,data:1LVGAaA5z/if1C3tVkrM3iL2Jmz+XQfFJ3df2a02wyIIZiY8/oHguVYN6rBwPFY7+CJ1NeuTL/lrz1y5NJwhFEtxmrQOVYzx5HCw9uc1psTDFJFt9q0ZFVsBJs3wQYgf2QJgY2PAnZpmk6T896KHrmeRKty6Km2ltVSp8c+ieEs=,iv:t+9xgqcjjtyxzZINT60sB3qB6QkpROC9Rs1ASz/7On8=,tag:iv7ojyELZaGx4ZZhIDv4ug==,type:str]
pgp:
- created_at: "2025-12-01T23:06:35Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/+O2d2BMDS3DVPfUHLD69K6VsdewczQkPoskMrS5JeQn0R
gDhR318J311UMClomIIrgDlbleoKS9tdC1rM3DoCaGFq4MyydK4MLy0+6wme1n3a
ZyOsQ1jSpdgkWUfbalbxL9/cWtQBwfahXve39L+ocqb34KT8jeLcRNZWORWAst7X
a6fHFp4gZrTnOjn26TJc7dJxYGWQIWk3WBYpzC8kpqkMaIemIy0FHaObNYy3DvM0
Z++AYqmwEYiz+tG1bVRUZ1ck/z8kR+Zv1Wg0uVM5Jmg6rArrz75xSS297euPZhO3
bQwEdJ2rcrdaz5LHC6zgsDrVz5LsfoTxilOwIgsqSGqOBIGAN6XttZXjjul6MVyE
XBlHqqrCVlLl+OCumWC0U6vr/bcGV6CaMJPE80Rh//wThtvyKVFRQey8EmJH7IGx
vHtfOaOScJc0sCCyXOx4HBeeGAYq0ogSRTlgK6Z+kXx/MkYRHiw6Vdrw0anmFF08
7lYB4SPafnEB4m2IPz1390ZSDXWGT5QmrhpnajuILIIcWwe0mNPfDbLQWF6CZALB
UJs0XvM/gfXhnqVnkayTXc9IrIHkLoKwyMh1g+st+d0fAYaUD2Wd9BI+zi22m4iR
J7Mw0bMBciO4MRIZEEFsCvuv4UzFjQ4mO9ib6LXI7y51sIJuYPkq3lllkntFdCuF
AgwDC9FRLmchgYQBD/9F+tb1K7aKNq73pk2YTmzH+WR2Dr3+MxNgnQlnIJMxdoTi
QE3C9U9UaO5ngdHbnG3ruBQKjGhLI8meFMTJatPwuOFcHPN+I3lEO+PkHGH0VkGQ
A1xkeFizc5l0tfTD9JpatOwaKKr1b4cERZP5hSTZ3MJsRJsykySKmLLpfmC1pZ7L
OWLdJ740YEPXXw76seRgZ66tKou1lADRBXAfHxmlj7yrt/MB2xg0FfPw6/i1HTlV
kwyobNlNO6whpgHjX16Qfcuj5YMRSDmyb+Ol5dheiA+DvoowhkijCGv04Mye10RI
bvjcmhVA+2lNP3tzF2duyIQi4nPDhQLcBs8djH8flKWDZOuz9Jt1QDTb4h6iJzfK
RkfU9j7/GjDiiksOdC0/yYgn90dGdPBI/iR890Uyuav/nwzF9Kz9aHQGPhCbwfRZ
gN7f3zyt9XPw7Qdyf5+zvaarg5xf8i3q6vhYZSGpOGC/ZrRdJcNfo5Sw4gVzrTOD
M9IGoeoyWkCHrjKPjYf8fVW8dDgMsddaT/ub8jh9OcM5YA6mrbeAGyf135mOurLd
PCsu/tNAA1GLImgc/MYplkPsOfC0+7fJ9gCSirXyRgT6Eir1VJLL7wE0zrPYfqdX
NOXYKdHQxfhtk33XlnxNJ73cJVGtBXy3B2kkM2DBHxY2Zj8ysO48zSri280RVdJc
ARILzsczZMXmJVYuR/r103j+doR/kMVEeH+gwhTSyj3yOgP06Ychawx4m8QrjF93
FfpVVia8JmpXAymJ93fO1HCzpQgZwX+BuhjfGcUoa3kr+lJjzU4571CCI84=
=lNG0
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

64
hosds/nixos/x86_64-linux/bakery/default.nix Normal file
View file

@ -0,0 +1,64 @@
{ self, config, inputs, lib, minimal, ... }:
let
primaryUser = config.swarselsystems.mainUser;
in
{
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel
./disk-config.nix
./hardware-configuration.nix
"${self}/modules/nixos/optional/gaming.nix"
"${self}/modules/nixos/optional/nswitch-rcm.nix"
"${self}/modules/nixos/optional/virtualbox.nix"
];
topology.self.interfaces = {
eth1.network = lib.mkForce "home";
wifi = { };
};
swarselsystems = {
isLaptop = true;
isNixos = true;
isBtrfs = true;
isLinux = true;
lowResolution = "1280x800";
highResolution = "1920x1080";
sharescreen = "eDP-1";
info = "Lenovo Ideapad 720S-13IKB";
firewall = lib.mkForce true;
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
hasBluetooth = true;
hasFingerprint = true;
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isSwap = true;
rootDisk = "/dev/nvme0n1";
swapSize = "4G";
};
home-manager.users."${primaryUser}" = {
# home.stateVersion = lib.mkForce "23.05";
swarselsystems = {
monitors = {
main = {
name = "LG Display 0x04EF Unknown";
mode = "1920x1080"; # TEMPLATE
scale = "1";
position = "1920,0";
workspace = "15:L";
output = "eDP-1";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
personal = true;
};
}

122
hosds/nixos/x86_64-linux/bakery/disk-config.nix Normal file
View file

@ -0,0 +1,122 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}

23
hosds/nixos/x86_64-linux/bakery/hardware-configuration.nix Normal file
View file

@ -0,0 +1,23 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

22
hosds/nixos/x86_64-linux/bakery/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:M8uEE2uxhHHh5UdLO+J18EMVWm+9FCR2BHMJ3P0Il4h+0CqWOS27aVWPjI2lIt+jw5svt5kVbTIzwvw1GmEdcXzJrE9yZ0eKkXSm/TYQQZhlmcPcNeJyDf/bLivwExKicRy2JR2KNyAoiW5gISF7nkUv10EnM60mzH2RftPijvdgSTmdoNu/9Q0J3M46k+EVGO370NXT89eSbhFMS4r6M94vKaA=,iv:C4ELLFaF9yFfDH+g/TwQtRm1DuRtIAxcI55I0mpKd70=,tag:jLWAD2pLkqzekJipf/Rc5Q==,type:str]",
"sops": {
"age": [
{
"recipient": "age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZaGtCbDBYaDZTMUhhbTY2\nbk45NWRPZU5nWmh5M0ZDNGF2Q09rNHNzRGhzCjh1d3pLRnRtZjVnaG1oN0daOXRy\nUzVFd3QzVTBib29QbGN4cXNheVRCNWcKLS0tIFlielcwODk4MjFsS29ybXNDMm5y\nN01aaHBFN0VPdTNrMzJNaE9NRG9KRnMKNV4rqYphPTyXF5m+qNq10aIov8quVh2Y\nALelTPRpD/hMYou/s8Ro49GHNNNKeV9J+4Tvq1QEmIIdvjFLy9AS9A==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-07-10T15:25:21Z",
"mac": "ENC[AES256_GCM,data:pMWJo+JuSgs7RE+rc6vB1u/V3kfQzRjknxIMkNNJCcBp2WVoz84BZ23oruaB2Z/ZSO9zpaQMHkuAqGZU7CuvZ1JvECHWov5fRkXDPeaeIVw3dtof1XzH5plRmAUzabrmEzrGSnwJrJ6DRlAhrq2gDyyIY4qmUeySc7zgR7QVf0o=,iv:iCM7ulRAP5FYyR/z7CSDRYMsm2Gjs7qWLChtslGfzO4=,tag:QJ2Lxmwvgd+ILHeYhMvmwg==,type:str]",
"pgp": [
{
"created_at": "2025-07-10T23:51:27Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmKgk+exHX36+IkSQC03yiRpEKpmkqt+FcGsbDMonTyow\nmvhmwSc7UscNOgOQYDYA66vMCWE2Ij9gxFJNpPG3rXFiC11XN1/pq+Jy3Qvk3DNV\ntnXgwDvSt7Ry7FThXnPiJAkcjwYNeTniyjzKcUmXA+yEJAlswjGjH6uP/Nvkeo2n\np+OvRQc0cXHBSTbnIq4dHaqVlp1JWOQgtZVrIgwN/rv3xvDPE2E2dmCc9hUg83vk\naUT7fDo8v5hWwJJO7Q6OvECKw/D4jWTxnBP1nS3a66shkpcC7lpYQjE6AtAM3AbY\nB84rat/Tff6ZcmtxMvIa62vfwrfSh/00DmRlPkIe1KlbjrV1kafzbySjI7q1vy2l\neZL7/Zi49fy/KudQ+/OOMC/PlhGLYGtEo3sNmLY7pfBNuMmwjYQ0K/1kKQ8XXJDw\nbWQDP+8aeIKKciLy07NW5Fd5gc5S1exSFHDQyhCXjdUcPk3cTfnEvMP/T1bCNCaD\nGxy6IEifdJvYNeWyaxgbKzsLmz8kTd6wPj/v0BIdL+dy3/a/4SVLR9r7Qn3bMgkc\nb1wVY4XDyt6LPnwVY3UOFPSCVckGb8NRnciKOj1TnsaYI6xEQ0ObuuAedVJQj0wF\n5OqYrwnH+riiLFMVzsEspNQNlMTRY86zPIxuNe8qPDdVL5CotAoobzdmr9cc75uF\nAgwDC9FRLmchgYQBD/4ntfP9dGtNzb9BjR6NEmdqJDIS37lHCc6ts/f86VCiy0tk\nhdtVdZ7sYdFvzkGimfmcbsVJ5VOPK6S82L0xUlROCax1bVkjK8VjqppUbTxQMgWh\nek7pPzE66MJzXlpqGgmRHgLuV0yhTqz9TGbTetjYYlWiOGMGYHwvxMLnvTvQIbJb\nBwtpbK0SEu7ODMn1mGtWpzkVI9rDeCW/FT0bBj1KvkWBWbCVFCSVGjmxuWcFgRs/\nc3aNA/DLQMsX7TzvqiY+dXLdp9/vuyqIf+qzC8IIrI5fskzaVfjP+OzeAVTXeI/f\nYsgvF31Z+DfMAFQ7dnAQ56Ys/oSdNTaAnhfFjI4S40qw0SfZdTWzUm9IjhnZKgaU\nNV9V3b2D7nr64JxutHzYiJemlB4Oy+HhqMQR3AYeMDX3hEG1Xt7splkBLdXccIEe\nGTOoaIffV1QUAB2M9PVyidpLf98Ii9s8Mr2OUcQsYiJy7jNXTudx50mnIhmBSDPN\nk/RSFoMo0+v7jC7lWkfWhvunUJrJ37zNSEHZcJo7Wj+SflqZDI/QRQAez6xRF6ih\nzgFfAgNSDAkbymvju7I6V9TEOw8rLdlXLlBNd+GAy0S2HfNIN8lx2tVnP++zP54C\nhdEDMU+uKp98Wu1fVuMipzjfPqJ0lpNj9M2+ma3q3w1L4YbMa+nVEK4/mmP0e9Jc\nAdvTsgHHFgN5KOwmZkQdAhKJ89cwcGUwZwn/gO7pEGoOw6WaHIIE6ueOiThfkXm/\nWIe1AC/JQapdMlvmF+2Rf51RmSkWX3/vtFPNkWvgkGgCely/eDXRK/si+kk=\n=ep9e\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

48
hosds/nixos/x86_64-linux/bakery/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,48 @@
home-wireguard-client-private-key: ENC[AES256_GCM,data:ozkjvpAAo33495w2c06Iu1ZFvh+IGNXUDYuWVWACBoNRQSKaBX00c3Ynd10=,iv:wbeYJFEopuANyiKnWoCBESxa1dB/insEFJChEqxm/Pk=,tag:QfvICpbK5fiNEDhRLxQYGQ==,type:str]
sops:
age:
- recipient: age1mjgw3nxlnqdj04mgjz3wn7fj2nl2nxla4p2r2fn4nkvayfgp09pqllxzyh
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Q0Z6VUR4VjgremM4UHBZ
Tk5vSm1Ma1RzMkZNRVE5NHBtMG8vNFVXR2l3Ck1yN3NoS1UyOWMyRXZTdndwaXdW
MHRkU0d0YThST1VEdVJXQ2IyMDlwaUUKLS0tIENrV0tLK2QrK2t3d3FlZU1WMVIw
aVN2eEE2WDE0RHZxNTN0aXVZbGJoUXMKjje3viWHrfHFnxoXOS3R1/TEEr2nV2Dv
2Tepz+F/vrNkH705fVePD+SmPXv0j+bEH5Lf3vLi/9zFqhrqgFDExw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-13T11:20:48Z"
mac: ENC[AES256_GCM,data:vqg0HHoDSLlPFh++CZZBpALrIOrnBtLL30XWzoXpYXMBKM/XCKGhjFPmna/ew5stK7ylNjIiAmvX8rZB3ynG5Si1/4zfGV8aKvVKhcrUjB1Upkphq7jFb0MI2JoJN9dv4SDVwKtiog8T9aYImNXe62/nMI/5xHlF1moY6JXDE0s=,iv:LprVDQU9KeSwuC/cmy06YQeCMYhaEygb44I+GkvnbiI=,tag:fodgL725veQmxsLuA57nDA==,type:str]
pgp:
- created_at: "2025-07-13T11:20:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAtBAhSfBmcZqHKU+JiBPcs8WftmIZ1L48ERCyWAfh5iHJ
lfGyM61PVxb7qAFbXf+sXsZX2QtMVjobqYgAlibGLnlUl6f1RaFHdfkbUIr2NGY+
gjCZEGUmunwRzd9hozXj12B1juop8nB5kAdeGhJ/H9CIJofYalkqlU33YNLcROa/
lGqV4Xu89QfMm+tXzz8JpsXnW+1z1j/9j0Om3KNQYN7t04BmNAYwSymFuubFEnFR
Y+tvBPqDPhpxT3YvRIkbPGhnWZBlr60owL8S1nKujVLQmSr/DjwS+om12kPl+Tpy
s0jAVB5ja6FCIE6pa5WMV3wNUinis/a/P6xJGiFxS47ZLoVjQjuF2y0pW3N8O/8v
mm7Q7J5rWjF4odZfDyfpPdh3+Gmb2cUERpK0i0BDT8xAo+6F4EkcsWrTb8BrI56X
NaTPFLenluIedqqewgN6AVjX0WaxZRdQIKupmujeWefhBgDwX++5misZdCErqLcX
uG0R8ziHGi13dm7mhn+PorFEMRcAHhQqVIA9Ck/Eg48W3GQcbGlOl6e/0S84g+YU
ndfz2J4qbJtJk/RmarpbSE2kI3edfs1DC0nM1YUIUHm91UxXZ/yhXSiR0BsW0BpG
YRtyT6TpseAfBhyMgFjeyiDk3ngLHogJT8ov706X+jG2IGz1n6MldM8EMKry8amF
AgwDC9FRLmchgYQBD/wLPUOWXyhPfuXkPuC4wOdH8q7uvIpDCJM1QfegvM0Vbfaa
BcqU8V0uC2+XirM3nLYjfgEuLtXpDnPnGx26jYXiAwO2rzurWW3Z9BJzyp+n5fBb
uoWCfTlihAznDOW5TvPTUpgosZShFKGs4Gh8Nvcm2lqx8wQfOjSYJnLdotmOYEJi
t38OTIFDobNATXvsuNHSocue5TjgCHwLvSFUPg+o0s1Xx3DSMytX83slXuYd+WRx
GbA0wQDxV03kH27AkhsvYefcsntxOW/FsZk5XzARtkCRdtBfiRb4bRRWsrrnzNBT
6hCb8+MCmnCeFFJRkj0izsA00j0Q6tE8s+NlhpeNIB0p1bxOvjyeJyOEBwI+G/s+
vE1mewutNnPYploy+E+zsmszSrWwGe97QL1rKmVgYMirLKtGo2CBHlRsgmpdhoNZ
ADrgwNCAUPD5K4eEi1Dl87p1LbdjCd4CY+c50NWpnJP//LAvTVjZFqkQr7xgnBqO
maPzDbHCQgjboSWHA/bBDlv0b164NsWJtpDrf+z9R92bhCvjTtQxQdcJ4ZXz8HWU
Z32ilAALR+uySN9gLoaVMMZyQ5vELWvFK66zMBpk3wLWPEus0e9zOA764+JYXbUG
25T6DbKNNBDtnT9w2ZRrmrK/B2CsFbZDQ4R+pom8Q8IeSke90d+jDAZzHF1erdJe
AYZ0wZtqJgw+IJL4TI9QEgFBGa1z/+83ZFuztRmwQJIawEHisWt+3cj+mbZKSHRS
aRRmLWPtvK9w/RSeoI7op7s3rUdpl/FabzcIudRYqtRiP9/Syly52YkRD7503w==
=hhjd
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.10.2

54
hosds/nixos/x86_64-linux/eagleland/default.nix Normal file
View file

@ -0,0 +1,54 @@
{ self, lib, minimal, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server.nix"
"${self}/modules/nixos/optional/nix-topology-self.nix"
];
topology.self = {
icon = "devices.cloud-server";
};
swarselsystems = {
flakePath = "/root/.dotfiles";
info = "2vCPU, 4GB Ram";
isImpermanence = true;
isSecureBoot = false;
isCrypted = true;
isCloud = true;
isSwap = true;
swapSize = "4G";
rootDisk = "/dev/sda";
isBtrfs = true;
isNixos = true;
isLinux = true;
proxyHost = "twothreetunnel"; # mail shall not be proxied through twothreetunnel
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselmodules.server = {
mailserver = true;
postgresql = true;
nginx = true;
wireguard = true;
};
swarselprofiles = {
server = true;
};
networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ];
}

121
hosds/nixos/x86_64-linux/eagleland/disk-config.nix Normal file
View file

@ -0,0 +1,121 @@
{ lib, pkgs, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko = {
imageBuilder.extraDependencies = [ pkgs.kmod ];
devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

18
hosds/nixos/x86_64-linux/eagleland/hardware-configuration.nix Normal file
View file

@ -0,0 +1,18 @@
{ lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd = {
availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

22
hosds/nixos/x86_64-linux/eagleland/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:sfFILq+nY2tqP2aHjJZqUZMdk+qQXSsL72ubGsu/U5G8ULqXcq73d69Op1M8ARfLgOrzoBfzyjcxFMUZiVxoSHevEtqoRBq0Yol6S+3m8vXbW6k/4tj7vRTCsnuxEbGgX2MCbpfb8GChkX2xy5ZKdOWTyXNGWIIAOkHj9NAfnKz2ppY8tFPcQseOtfbI7o/MiFtaMzI6HTpbgBqhifJHLvJyIjsFH1ZecyYjYtL6682isMGZwywUdzaE7dH4m8+sFztHiliJaCM/gID+Kl4GsWlIqZuJmCi3Ac6czCCnLf2fXk53YLXawjwkQmNWjSkOVYI5yybonySSzmyjCfB15487E/ScNlG/Cc0GesoaxkJQpgys3rjuyIUwBKhfHa0qsEd5XkUFKemlB3uQTNfst6CQ1WzZYagIGwTM4zB8HjsjG2hRX6Jck7kS+5eQAoxToe5Z/bDGworUYWRhm5To7bbWn6w2AZ0FjWsb/h2lGy3rgCpjtaaKLAcG7kzbXyUW3crjLg0NR7REKYQf/ZLDGs7a0zYiDfGHyh9+krNiZ7c4dAlCh0lwUJuWSLP3VBPlcLqvSoOg8rRvoJwmIwh9rCCuKxhhGHwwL4SiE10Gw+5rajHNfj+ZnjvVXmFdpZRQW73FF8ThVexKu0qtCmzGik8R7wIhI5AW3Pj1wBURftl+jd3vRZkU9isCE3CZit0L536ZJwawoAZ0eU5tYkRjI/7iHXAbyLEILspSdrHDneRiVLh/IYXv6BEtlZFXwQMtPRPAwx9F8JG0zG9iX4Yy,iv:js4R7cAoIFGCgURc2WyiqRwfqLLBKNWCEEAlsRYdUeA=,tag:NZD44GRRgt7B7U2oDBDjyg==,type:str]",
"sops": {
"age": [
{
"recipient": "age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR1ZPZFUxRTh0QjB6UDJ4\nOFd2c2lFejhHck5UdUxVbmFFbVRYNEJaSzJZCkNxbndVVThObDkxUmx2WW9ESzhh\na2o0LzFCbWdJVlRIV00rTVUwTktoek0KLS0tIC9qalVvZmpGQXZsV3RIYWRPbmRY\nam80NkRkT2l0ak8wV3pTSW9kSC9nZ3cKCH8eEMmku6WMliEDdAiW2Lk1jAGH9SoP\nWQ5Y6e90jEnp8XbGE7KYiG+jy5fHSc6Y5/YyMmi/b9bF9AhmRT6rdw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-25T00:58:02Z",
"mac": "ENC[AES256_GCM,data:AVZqvJDOcRyUKkxxN3QkxFDiPgB7R/yI5cSGrsgZS/T+rcyi9db9fYhS60c7egLpYmO1ieBk59wwykCAP5TdTQoPXm/+O24MCXquEYuY9CR4YjYno/dBnbCWtKvIB7vs/yIyVfKBW4VQYSbnH/LpBSB6RJ0ivLU9S8hrmrgTkDw=,iv:pSbmaXMW7hqxxTNS7n9vDlVlO7zE3rqHnDAP0XaC5xw=,tag:jH1qSjGWX8bwKSk/MFmDQw==,type:str]",
"pgp": [
{
"created_at": "2025-11-23T15:25:41Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/+OOUtfNq9RBpm1/AbgTjenkcsRwzvyxMQ+VfT7AN/OjEH\naYaVnoU+IYoUJIw8u0zfFuJGyhcU862pMN+isngqNNZiEqY8C9rP4+l82Ks4qLU2\nanUk8HPcUc7bQC19zoSpl5MIeppV4SNC5OAph+YKVcj95l6OFw1EieptfhRFtTps\nwUKMf3p9FC/ndxjDG6Rxro7RQsETJgZ3DE3tRFPsBzMiC3sf+fsOzFgVyABqYZ1k\nDr+pkdBzGB3LXOyeDJWK38DxY/NEEfDgdSGLC6ntQ8eS9fbcNajT6FUwH2uwHJ4y\niWT6Q8z+XFjh3Z458tZhcnBGv6AKGeQ/QG9z+0DALKkkmij+vJqRAGjJxur6XM3K\nf0anUMXLeCINcLEa+Wv7inYJaPXu2NSmqtd1yYYXoAbVcnmzmgW9D2in+JnG5urQ\nCq0MEALyp1axExIaD3BHrFIaK9IX2PO1E/PLDng8AtGEx5Fn//OQX0Wt/yB2eEk2\n3uubPz1a1eMfRz1pK5CFOpJoZ8bmyg5n4g/5MgVgoxzA5nhjfMYD/HD8EG3ta8PI\nrQZhtlg7C+5nEsNevD4RPmzO7z1JdqJGMIWPPUJKZ7WozA5192aAw6HVKdtI4FH7\nXv4KY+GcmUvsKhpaWidW7vsY4MWSfn4m6Ybg2vqHsCUjj5fHVHF9BeKQecIcTTyF\nAgwDC9FRLmchgYQBD/4mfMCt5Ez8WITcru+pwlMHCeSUOxfftsydqdtt/gZ2oJTH\nhMMN2A26x3LXIfZ8IA6to6ldxQLfj3gDF8H+akHbRyndrA1V0U+EhoNZ/DYECkNB\nx8xtrJwsY47siT7sWlounXqnQr5E4nfSfDOsfSv04aUyyUsMqdjFRVY1/b5BCkoJ\nOptFJJjdosfmGfsHCGYvqj0XNycVQj3ioYEwOdDMlZ8riSyRTRPL9UAfgFeQ5swG\n1I1qWaF2+8KUk01wQwmwYLKs1JUnVOl6Uy4XpHbcZcCEIW3VVnwxFVCYcHwhDXWT\n4YGeGFfosuthL4AjJ2EmNKLq+sUxmD7ANS2E561+0BDAakQ3Z0eA/wpJ6VWQtfV0\n05tw6zS3BWwTi5fiiN4JvXqnj+8aT1PBtgxrCeDCjQ36KGViLzDsZOCMNYcr1EZI\nEFMTmaUDFWtoHQKi7ZU+oiRGGfZdnbh0icCsnBecePo4//LaCvBn6lA+vFBmuHLo\nZ2Idh5JSYFoEvhdX3j+sO0dOqzQdDEDy6+Y3S3T4vuSB3w5k1B5c3EDseKfLHUY/\nhgAIxO7rtELyhlFODMmEOzLWwOfxq/5ar/izxkdQS5HPNyVXT6SKikTGmI2z8Uw3\njyCaXv7ny5IVG/kR5aTP+DIHhichcpxJk7j+wZfZV/g8O2PWQpYXfxr36gSo49Je\nARJUBGaEVAhqoNfaHCUbvHCSbbI2yKY+sliX3p7MmcMdy/cvKyowQUuw/FYtdbGD\nHwCe6GZZzHWJZkX3nju3zhOy3gBDBDB1fbF4W0VjsjOwYjy/7MNMVH0eXli20Q==\n=qkvc\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

56
hosds/nixos/x86_64-linux/eagleland/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,56 @@
wireguard-private-key: ENC[AES256_GCM,data:grHYayd0/og7SZhnkemUE9NySA8M2Pev5C/GgXH/UMnRXJLDQiJameGMZuQ=,iv:FyJJeDpGu3OqV0YihVUnBNcgHVH4yFOR4KkVxM0qQzU=,tag:MTGgQ+RT5boa85gHNkWBwg==,type:str]
#ENC[AES256_GCM,data:TeJxdPs=,iv:M76JVBlBfgjjm1SuT/0tG/98FXpkIPpGng4u4F5p07I=,tag:RXAqa2R0HmEOjW0dD1treA==,type:comment]
#ENC[AES256_GCM,data:YczkPHAlYVsdVPPGyuByxK9wvRVbAuR6rR9rSFjMvMGxg0QUdIa/yo8o0ppe8I2ywwlLSROp3WLJ,iv:ltLRGMLZsOte9jQEi/VW4Diu/Od8kHPbzsmvPqVgLCE=,tag:YbtxLcYhvPZrC+QFfxtMrA==,type:comment]
acme-dns-token: ENC[AES256_GCM,data:5U/74jeGpQH39kyjuVwLU3WBYk5MrCMZSFouRFRVbB5FhOkiJtqYBA==,iv:f1TgdiVVbAB+580AtQAe8mCXU0WuS9JX7AWukKbDYj4=,tag:Ut0tbtiNcV/NxfStyZA9XA==,type:str]
#ENC[AES256_GCM,data:dZiEtGPKsbsd9g==,iv:lNgXQHx/w7pm3EUTBwyFnqv2j0T7zQ59nFLom8F0hQ8=,tag:1cF89QMfjipYZgfl08qSOA==,type:comment]
user1-hashed-pw: ENC[AES256_GCM,data:uPyDpGOVIqE6cCyvhXIM6v8sTqEx9dV96oqMYS7fRMLiR0kYlCmgNBEeDFmTNRskqwW/WGXrOBn555ZH,iv:KbHW2mOGzOw4t9aOrKLOIobkUNLWj69dk7fFuy1x3aQ=,tag:51+qAavIiM6K256MkhBaZw==,type:str]
#ENC[AES256_GCM,data:brmNZZpgXixukd/wVGB+aedAR69Lw97B/vJIJndX6gSZXmv85ioXOE+INhdXFzCjUA2FDZlWOVmBLbtWSsgF9bqV/4WTBOwk8Cy4fInU,iv:x1aYveoBXS48OodS+4MtW74oUdCS9EFdaFZBgpmmfSU=,tag:FlGm89rFi5ZLoRq8Uxnpbg==,type:comment]
user2-hashed-pw: ENC[AES256_GCM,data:B2gK16sr8GqnngSyhG3vdGb9x8M3j0A/KDF6Vak+ZHO8hOsFAriKHnHEyvcJCE9p6oi+9cqPzcbL6VT7gYQf3KJrid+Ejzl4EQ==,iv:PVG04/i7xAokvcjcedXOEYuTwfdt0Jofev0Eit9kD+8=,tag:zCV4JPQHRArqW48lkhCzfw==,type:str]
user3-hashed-pw: ENC[AES256_GCM,data:sr7jv7PppT5Ub8VsvipXdZZWTZ31GFscmZ/CcHzYE4vsfIYYHpFElHGMjlbcTSLjyqfVOcXAKNvabcoO,iv:C22sZLrUUc3G80yyYr1snuwqtAa8USZd8FRtua5hllw=,tag:lu0hPo24CXNI2kE7C8g3Eg==,type:str]
sops:
age:
- recipient: age1cmzh82q8k59yzceuuy2epmqu22g7m84gqvq056mhgehwpmvjadfsc3glc8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxWkxKRHJnTjFHcGlhN2Ev
aHphYWN6SXNNZWdNc2dBclViaUJFdW9HTUNVCnN2Q2MvMUZpMmFENlpNTVZmZFJj
bjFRTmtENzQ2WVpHWmc3S1BCMzZmeE0KLS0tIHRPZlNQRnZXcjMvSERuVVN5WDIr
SmZrb2xuVW5VVjM0b244U0lkVmlkVGcKin/6A8ONfW72fbQmvJWiNCzAZfGUtxCI
WV0DaPvO7sO5y7q37QxVUOxgJgF0WpKiNel4Y9E06xbl3TK6jXk2MA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-12-25T01:03:31Z"
mac: ENC[AES256_GCM,data:phjkITBZVZ9Mk0y1FL2dZNgrxyIPbLIXmoTYSlRdHslHg0+hBViLnXAvS0QN/HvsvAldzH8THyACQrXDZQSFBHljIy2wqZr5bu7ByIlRc8FhwNePXNOUs7HH7bQISvFuDWrXl2KQn8OirfJjpIpwQIi5d44pa4Fs1+tpWAg+OiI=,iv:k7brMvP64XV5eNYdm1OJqpjEJ3xEhhfOqErBIG7xMNs=,tag:EhXT3gZrZg2QkYzVCUQKlw==,type:str]
pgp:
- created_at: "2025-11-24T12:05:01Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//XLsWCm+hQ4388h7XmawVSSjBF5dRYHUpuW35fMG/+EWj
8cGL9dXCBTwBMCV1tEPQikjdVdzFPfCdroeKozvdt9XEOv26sYxtUwihPsp3PDtZ
Mq42veeVqcd33NgfINim7DALCoF6wlh6FM8Xeg/HHcFk9T6gcnhHRWbka/nBXm5y
3ESVCMws+nuenmNsAp7NP6+TbF5kToSHSd5sf/S+mdo3rMIWVtdwc3Ox7RGeA2Kc
1AEGfkIZmrUtnCnhbE6Q89nNfmtdmQ6RFY0sPZem3Kksx5SfxLTP+QwsyUeNG402
ndnjCKiWLlQGkO51wgl3oobJ4KqqC1A9wMvYCIiv163bCy+jA1fsGH/OAIa3kCTb
sauCsLeq3ilSmzmwbWKFIi3dst+YR63XSs7aSCaZ0HnI8CCPV4TMtNkgtiVCXIGv
UmF5XCx7aN3cfGTbTwBzMs741HzQHSxMgKekicJS+NJC/P0DfJu/st781rFqJ536
FLYF9yK98kVNLrxpWlw+ayp8pP2wMmDScYjZU0Pi4Xz9y6iF0ZtJfEc/NaThKJ6l
K1xat17b7dTdn0H1Ncq2zhZ41nydk6+0K1zYMtjFplCwzGtTDAn7QIY2YEFf+zEF
A/FrEW8sjTOYbWORz3ZdH/lhd12FKEG/QFiM5UwQkINRjBO9NFLTmGXzD0C0kVOF
AgwDC9FRLmchgYQBD/9TYF9hq4JEshBgmUrv+6MnnuXJCYkDdPFrDWk14bAL+J/M
9r3hHNK/PY9OUqgVf1HRO8d/bIvAwDJhs3rhWP/el6IM5UWfkwwwx/blhTzTlbgm
1XjN9uPd8lAaNFDgZBKg341zxxuQa6Ikm3MCI/pyXqeOKMlxXfrkH0Lx+e4TyoBF
pDflamEOVJt15dQFOB9aiphTZMCmVQfV/eYfjqpRDR837/ptzQgasgk2KFvyxCkp
iWL/n1nN4n4lg2BYeg0EinFu9lR03VIPaWYrmYCU1XvDUbVKr3c5FbX1mcyt4PvW
oSCq7Gax/YCSQFy6Iv2QiPqhrnelYRuBMuXrnSz8TKfXJtsW8+R42vNc4o4iSYsj
ZIzBQO39YcUA01qogP0hxPSGzo1M0cWRpZaX3JbjWLwqZQoiDi9Uw482xDuxO0bx
TeFtekSCZTV7Mi1EdENb3J4UdgpEsviFLSsK0uSnCPkHu8MteS+FiztxusgHtH5f
YVhQhJ/bIp7jTheow5SZSnb+pRHbTq9GcN48k4G8l4YQZjbXRaYR0ojL//9yexCL
z2poLvkw0q59GgiBNudITIKSB0IJCcg3jDafMCJ8iqyBzwPzPHOL0oB+cYyMth5a
chufOtDAE3JEUJb8c3RXUnpIl2JScYV/IZNHDIUSpWOszCVDYZ9TUqM/+C8iV9Je
AeVg5jGHq5yGwhzhXgM0DJfFksCNvC6uyAJKpw8YRhNGNBt+pSvF38TMA+R1YPmd
yntweGKTK9Qjg4zpS0zwnDehJis/RSkNTkK66RsdVpcaMj47WOrvw3zGVqz1fg==
=A+L4
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

94
hosds/nixos/x86_64-linux/hintbooth/default.nix Normal file
View file

@ -0,0 +1,94 @@
{ self, config, lib, minimal, confLib, globals, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
"${self}/modules/nixos/optional/systemd-networkd-server-home.nix"
"${self}/modules/nixos/optional/microvm-host.nix"
];
topology.self = {
interfaces = {
lan2.physicalConnections = [{ node = "summers"; interface = "lan"; }];
lan3.physicalConnections = [{ node = "summers"; interface = "bmc"; }];
lan4.physicalConnections = [{ node = "switch-bedroom"; interface = "eth1"; }];
lan5.physicalConnections = [{ node = "switch-livingroom"; interface = "eth1"; }];
};
};
globals.general = {
homeProxy = config.node.name;
routerServer = config.node.name;
};
swarselsystems = {
info = "HUNSN RM02, 8GB RAM";
flakePath = "/root/.dotfiles";
isImpermanence = true;
isSecureBoot = true;
isCrypted = true;
isBtrfs = true;
isLinux = true;
isNixos = true;
rootDisk = "/dev/sda";
swapSize = "8G";
networkKernelModules = [ "igb" ];
withMicroVMs = true;
localVLANs = map (name: "${name}") (builtins.attrNames globals.networks.home-lan.vlans);
initrdVLAN = "home";
server = {
wireguard.interfaces = {
wgHome = {
isServer = true;
peers = [
"hintbooth-adguardhome"
"hintbooth-nginx"
"summers"
"summers-ankisync"
"summers-atuin"
"summers-audio"
"summers-firefly"
"summers-forgejo"
"summers-freshrss"
"summers-homebox"
"summers-immich"
"summers-jellyfin"
"summers-kanidm"
"summers-kavita"
"summers-koillection"
"summers-matrix"
"summers-monitoring"
"summers-nextcloud"
"summers-paperless"
"summers-radicale"
"summers-storage"
"summers-transmission"
"winters"
];
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
router = true;
};
swarselmodules = {
server = {
wireguard = true;
};
};
guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
{ }
// confLib.mkMicrovm "adguardhome" { }
// confLib.mkMicrovm "nginx" { }
);
}

118
hosds/nixos/x86_64-linux/hintbooth/disk-config.nix Normal file
View file

@ -0,0 +1,118 @@
{ lib, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

44
hosds/nixos/x86_64-linux/hintbooth/guests/adguardhome/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ self, config, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
"${self}/modules/nixos/optional/microvm-guest-shares.nix"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
globals.general.homeDnsServer = config.node.name;
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
adguardhome = true;
};
}

61
hosds/nixos/x86_64-linux/hintbooth/guests/nginx/default.nix Normal file
View file

@ -0,0 +1,61 @@
{ self, config, lib, minimal, globals, confLib, ... }:
let
inherit (confLib.static) nginxAccessRules;
in
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
"${self}/modules/nixos/optional/microvm-guest-shares.nix"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = config.node.name;
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
};
};
globals.general.homeWebProxy = config.node.name;
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 3072 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
nginx = true;
};
services.nginx = {
upstreams.fritzbox = {
servers.${globals.networks.home-lan.hosts.fritzbox.ipv4} = { };
};
virtualHosts.${globals.services.fritzbox.domain} = {
useACMEHost = globals.domains.main;
forceSSL = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://fritzbox";
proxyWebsockets = true;
};
extraConfig = ''
proxy_ssl_verify off;
'' + nginxAccessRules;
};
};
}

24
hosds/nixos/x86_64-linux/hintbooth/hardware-configuration.nix Normal file
View file

@ -0,0 +1,24 @@
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

25
hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/pii.nix.enc Normal file
View file

@ -0,0 +1,25 @@
{
"data": "ENC[AES256_GCM,data:j4Vhhuinx3xb0YhEvtjK6CmGm4HDmhOZN9ftHJ6IgrINdlj8tWxyxsOfQkJoX+PmIjhloLob61MSBm2QfMGojMsvbgNrvakpPBoTd8w2H9u6IxMH0DpPCnXOq2rD6aC2Y5Xjg6AZJCXQNWMCfkhTgbZoTOen3e/1IUXtPtbURKe7vpOuyaB3d7IIO6NnMGlNpF3ZXRuxoOtu9Y9ZrMjgRH7I5vkE4KkMoFIt//Tx1rtlhu68UrFKlochelXNPxWc+NHNbi1ynibdgeuipak5GmheJ1vY7oKAMogvsZWvn5qs8Ar5juoonWWKsc++dIcFwhDHaxd/xHiak2MhKmnU+do=,iv:LLAaoxXaqVnoCprUfSNLNBU/69ZTxytVswgdz5s2swQ=,tag:B8wC/3YB04tKvBrS2AvmdQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4YjFzelZTVE40L2hiZ0pP\nL1o2ZUJ3VmFnZE15alRaTHE0aEU2T2M5YjFZCk9tdUxEdStRemZTdnNodE5aUzk2\nSFlaeklZZU1NYVdTcW5VOHczWkNabDgKLS0tIFJtM0dlN2N4WnltaGVLMFg5ZEJG\nbVdMU085TnlzMmxEWkNvdUxnVUIxeU0KRW+NWgYTqxKUIrK9v3E2zYmZCnAEsUjw\n4WxVqwhGgUoHDeURiKkJNJ4kg3op6pNZg12NJ2JfAngAKfCK4xUNzw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQXc1MWpLNms2QzVzeHRo\nd2NJNVh6MWIvVkFsbEc2b2FVSkxkQjFYMURJCnJGOGZPMkt4L1ZXSW5UbGQzNFA1\nYm5uZlFXNlNjd0VSQVo3N3lFQ3BvUmcKLS0tIFlqQmpOL3VLVzZmcmxnN2RuOEd5\nZXRBN0wvbDB3a2hSdWRuN096ZExCcTQKMGRB1v9Jlilzx65/5yUgWQ+i7ubK8y3Z\n87o23XUIdXAx9oPW3j3HP1OpuYqiJc0FYX+THtmpHln/J9n9Qe18qw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-01-09T13:49:03Z",
"mac": "ENC[AES256_GCM,data:cJauc3/EUrx5uYx1SGLTmXdPrsnLY0SYm9vCakX9CUuBOoOp3aA5SGFtzGSjOlbPa22uo5Yt0t25setij3G4A9DjTGG/P/aQq9lLYvEeBxN0oxmBnww0YeLUoHT+04qxSH/5CShwZg26Ycep/43DMO1x3HH3fx4ijenfwmKhuAo=,iv:aZc6KMC2JaxEdKX3uOuSzJ6Bhfu0I77Yw+9t0z+ZI80=,tag:lQCZmxfq+Hp8G0JG/bjhVA==,type:str]",
"pgp": [
{
"created_at": "2026-01-09T13:48:11Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAxNIPrwgDPEUjt+06WWjvh+NYFfxkEdVPH+8o7O1GG/xS\nH+K3iviN+IPdvXeV5zDjHfARVpnnaT0GfH1yb9+4X8731bDPhZk4iYH/RTloByoL\nx+yRhBzo6YfWvLVBHDXuV0Ux5xWFlQmhAoUrsHeBycDmNCEoQV58igBNgHxROpHA\nwwWxkuAk2A6LQRIJkCd3q0FonES7G8Oi2sslYOqlsMzzfTS3OrZfc+y6vjjQshqn\nldZLjFogOPH6YJZe9r/LTaXqoY31t4ZeGKlH5ShfKui+e7va6pZy0X63iNmhLAfw\nccxIJVQCEf7DOtFdohKVrhpLD88nj2PIv618QFLgBW72Cyw0O1RPGRCQkwk0WGqN\nlzm/2MoStUlO/0/GvWi3KN46E1E0LR6FkAOEphxH7gB+1wiJpgnDCSWtR8ow1gOG\n/SNKb6xFD2haKZVl4DyioK6yiOQ2/tHEeYrIDhVfW3+KZ57zd6R5euhaK+QxABVW\niCNDaERqMvwWuwfBUif7g3V4CU1iTkQ6DHI8LbaVH4Vs+YwqGt21kpe/dcIiqtm1\nSNACM5mJ1Q1P7r8fM4i544IxFbl+LHijJzFTjTxdgkEsovwXbOVpWqVl5oQ8xVVx\nkd1FZuQmcNvsS9y1enK5kD3DUZzygvtZwKcKRohLyQV3T+ujUFAh8hhVUwmrRKKF\nAgwDC9FRLmchgYQBD/9AhPK/E4/cmSFSnUYpyvoRqlUhGtXzZMwTzRKjf5hRHyio\npjqJEND+UTIrIMy8rExBFiE39+7crsICG+k03Fawtmmw9Q5zXmhPFW1pD6g2zQcH\nMtGmg2BJBdXXcL6wuaaDaDUWVVhYw8iN9QaC6ma0/i92ZiH7T55D3+0MQeqSrDFx\nISjtg4xU8Vx/vHXayEHSuLzaqU2/5vnx0DUalqYUTE4f9eeaD9e1qLyoDBGRld3T\nHuAXdKulwL1YSKNBe2X9Y3kHlHzK48I5NfMy8NuTkMPUQ442ZZYD7mYM7J3kyjgH\n9DTRC7P2sfacE7f3i3Tnum0kwTEs6a8aeIR/BS+EDrPouKXuHevWLzbqB/pa9cfm\nU0yvZmcXOrLVXsjOKdgHzS2I2jGnbacza/FTkkjS4amDKq5kmkqeBkSol0//oDUR\n15sa+vEWDBFTdDZPvYZAKwndNkPy4prjOsXxHSpLa0oX+vT5UWdLvYy8P6av5Hk8\nNBDePCf/WhwIr3612n7kSBzEdh7HQTtPWapq31GaH7+vgZAw9hVWrWiIBuHf3j60\nN1zHfid7wMeFHqnRvT74vpM7ekvfVf2ab0XLpQmFMvMkZSj7gZllJsiA4TiAqgvg\ntANiOnPtZDr25GDogl+3b6uBEhmTmSi40D0te84zsT18yvZXbJhr23swRlo7cNJe\nAdAi5A4/stmMaLSzFoyt/FZL7+/lwOGmGHo6TMcr2b1UkLfA/c7r9udVnOJGuDFW\nau9MXji34BkREW2gzEaJBqOJ5RkaKB3TBxbl3c6FX0DsFoEINzALM1yJ/B6NbQ==\n=NwLj\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"version": "3.11.0"
}
}

57
hosds/nixos/x86_64-linux/hintbooth/secrets/adguardhome/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
wireguard-private-key: ENC[AES256_GCM,data:5RdR6CvGBwaklSgiP0kmz/ShroIa1By7ZqgxKrnSGjHRyrzaeWGTuJmqKJM=,iv:D5UmcQkbRs8WVQUA8XpFCwLy8+O4+RoJLWOkHj0H7ss=,tag:feSuK9jW+wLeygqhKHycDw==,type:str]
sops:
age:
- recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBMEM4alliWlBCT3VsbVA5
OGt5bmQvZW1TaUNkbWtFdzVGNDNpY0hBOVhzCm84TldYNHBrU01HMlBkbGNwZFAw
WVk0T3FycVRHUUNtM1pTYkQ4Qmw3RTgKLS0tIE9LUlNEVjJHOGVIK1RSMmRXUDF6
QlRKY1hRVzNTVXhESUd3OElXL2pBZXcKDWYoOzi2b4qeIbCVCfTj0lTW+OfbnsXB
8MugCHu7+b+ju0v/lUP66jDW9/2AH4PzHtCNHjsafyzr2qnW8HlOzA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1c2enwel9un28dcs4wg0vcyamx9a4a6g3walkhu8w5lqhmd804paq9d24as
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRWJXR2tYdEd4cTZsSi9l
Tm1pSC9pek5BakpEMlkwVTcrMlBuVzlXWUVrCmlnV0xJc25nL0twK3VCZ3FRK2x2
RW52Q1NxWUhTUGY0NnQ0WEhLMWxIcFUKLS0tIG83eVM0KzdLQ004aDRKNTYvdmVZ
d3ZOSStBMFpSU2ZjNWhFRkREQWlUdmcKggVvLy1mLYGf8084RQtlipS4+z4dfPsN
HZfid0srwYnezlQ5qOY8/HrDLWHEyuZ4xFZVi4n0k49qBpNwJdmvyQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-02T04:14:03Z"
mac: ENC[AES256_GCM,data:aA+oIq31QBla9hOpApaMeP7MFl/hI0kDjC1QyPkmexXuMB2pQJ6bBEmazreX2m2TPtHv1rtVUak7F6TbA+97IFb9EQFuAREi1Ca0xjz2eGVFQKu94qkS/FNemXTAkEZxC9LQ1TRqNXXNITehKUeIN65epuNbWqo+iOW0OHEXm/w=,iv:1NKL2PZBUDyHEIiB2ZpvTdCh9ZO+r8bPyJo+EO1PBmQ=,tag:5W9owm1Z+7O1CGVmH1afUw==,type:str]
pgp:
- created_at: "2026-01-02T21:12:51Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAmvkQ9V14f0BT/bNdFVZtTlY4yVon37CX32SZPUcHV7o8
Dya0sZd9tuVATSv79TnybscuNx95fkoZJwujBfAadexn2zY8zl1oEWEHx7p+8/mE
W8JbQAjbcbX9sNQYXc8kYJylBThmgNN/HXK7CGtgDFr9xnGzDBnDm/M31P1HwYBm
IdIQgFGErEt1K3xvw28Lk3tPuZLK3Y+H2Yna7RRF6K1blGJUvEnL6yFdA10/eFW7
8066mO26F2l5xFuktK0nNeniLHKa5VVYp8iM+JMhX38l0wiIi8pGyxo3uAjNpa0w
IfpCneEBe/yyaUPcWMjXmUG5LJe3kWUup8cSzvu01Z3W159/QsflxIMkIsklqhim
B2zuPdAlYsjjS/05DIHInN2IIB/rjADkQvXji1XYLhWJj4jxDeck/UIc6Q22TED+
autlbl8d/5sqyO5ghPpShF/s0vMTqUfpXZrDrbuyDFqCfwi0ahP03bUsv20ZEz6u
zG3K5HuXHh7ATSppwuMbcv7vcjF1tkbo6XhWZDv0rY0DFWqiYhnxWwlFlGLxf4zX
g6r7Ca/E/YXG/eOET6M9DxwHjj0D7u/ryAkCktqPL9w8oNGarZQ/xMx0+ocI3byc
Zvzlmd63BtgaGNSxH3stK29KN3ED8cDkG/JzAxCATWiUBBkqW/ga4sGZqtLlSO+F
AgwDC9FRLmchgYQBD/9JbFZie25PO2CyELlUWm5SmJcugT9SK/mIA2fe1PlA+Gnf
5z9iXraMSQchz4R1IoiixDhubwKeKp/auqhlOPvo58Lsi6iDR/WaLWabD+hcyAb1
ck/f/PUzTLhlLcfu18VPfXVzfnky3dX8P5aS0WMLAQblj2RaaiHxnPqf49kXSn3q
VSJ0pr0nEsPuWtoCkHUAwAJ8X5GPXN2OD4YbHsNaA9h2vrJAxNd5+HNsvg8JtI88
X/uMM7cWcaXcmNZOz166HUIPcJ5cabJ48Sv8sDfMPOcTiJkMiESBnRYTwdUcp08m
nGipSrUeW3pVOC1bGyukZb6sF84pTtCpqS+kOSfKFlxFFdAEcpzFIPuOMeo2dbKj
GSGPDemZFC2yFq883yk9/mZbgjOUsqrj0ZP3rCD5ZHpfUM5IxGQ+mKaOucTXYmif
lrTPMYnAc7pHxKZ87BgiKBYrfRAZvorLYKv8zG8YagAUw8iCtc68YUUdvLW9haQf
rwWCU1z+sszYSac7I57gfqICQhMUbs1n9S2Cn0C0xo4q2Lu36ysip4rEVGg6TmUu
znXYu+3orodw2TwC0tGxXHYKwmlr7EGnBCbdVKpDoCbV6cYkDYoPUFg0alqIPd5r
KCkee9MaCLLX7IdBrbLf1lkHGwSAs81GfZRMLBauM7/hn+hMUeIJnMbtJnVIB9Je
AdT2nSH06+POnjvxa2t0dUasnG/6ISBRSk6FgBBZ+pdVlrvaB4javgWGpiAWCUu6
b2CMZF3HullmLj+wwAKlsZsIOXGICN5GeQxLHYF8Kx7Doj68Owu/zGM5MS+7XQ==
=wYdb
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

57
hosds/nixos/x86_64-linux/hintbooth/secrets/nginx/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
wireguard-private-key: ENC[AES256_GCM,data:3T0ZoPAs/OIkhdZlH171d9d2Ycxtp4WfI92pTBI3vRw7BVvEgQZKu5DCvbA=,iv:gsczaGwcI3JocOazMIEsgHFruEKDPxOTUQzx+rdCaio=,tag:/Sw7QsZ4fV+BMWdfcUevBA==,type:str]
sops:
age:
- recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBySStkZDlPL3JYTFlYVXVD
VGx0U2xxeDNXcTdwaFZsRWZoblk5eEttZWtNCmJQa3NvUHNwYmFZUG8wMlNxWE8z
bkcvNTNhWnozV2Y4Wk1lZmhmMDdEZm8KLS0tIHBkalp0M0NuU3JQQ1FMRmJNQlJX
Zlo4akUyVW0yM3FLNG9jQnBHY1BQN2cK48vxR3pPY3LJlTIEx+dy3ZZRfwFyvQGe
EuUI7TuLa0ib8JnO287Ay4gp3GH38jtkGcux4yP5Q8eY/M9GNlEK8A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHTmFTbmNBWldmY2FGSThG
K1E5b1RTZE5NTll6WkZvbDhxaUk4d2N5bjNBCm04YkxSTE1FdFNFMGNFREtRbFVE
MHFuT1VONzUxcVdoK2kvUFRkc2xXbFkKLS0tIERlWE95MXVnVWk2Tk0xdG1EZUIy
cEdOaXNUQmt3KzUvZmRJWkpTdVpHdW8Kv64ZWzQbpmINagumpuHXscRf9stxO4Of
DSkGxFyLgq7yDg1iaiWy/mwxQZVw5i4ieR2+VDgi6Web2y6t81jayw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-03T05:23:18Z"
mac: ENC[AES256_GCM,data:u9N7GzLPDW7cHT4mkUAC9Diq1RdV5iSwcz/fqzXQKRmic09eVydAgyk2g6NbJ+4tBbAjIfeUch8Bhf5eG0sGzeDkb1qWAMEnP8EPmQ64OdRyN2SxJgxkc8KFGxkrGz9slS2ozWth6q/tKBSsOYbo8WDlCqXhmYp+zBxvYFR30Mg=,iv:HC1e2i0E7dV9/au+A0kHd+UXDhw3xf7RbTpwJI+hjpY=,tag:dPCDh9qalNtbHIhs//cBpg==,type:str]
pgp:
- created_at: "2026-01-04T23:02:15Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/+OHyevGNQqVV8RMOgLxV7CSBCdzCgRiEyDt8/A2twNG1x
8lM5boYrVJowPbqd1EV2hfZ8gl3vvWhGMQdR96J+Mt1PWG/lok/Opf8Sdjl5hzpq
5AjNWz8p0NQ0e2UAGDuRXy+tjeMWKox86KVhxA/L3Td4S+jV5W+3zRSkRB7g1eIH
NJiyFe+jl29mSSABKk5TclzoB/GoojAkO+8iXsjMZYd3upHyQdriipQKkJJGEaxH
8fWBYcFB3H+3nMmwi6bz8xhUpOCpKzRbvwmqWYcendqINvDU/sQxQmxcqgMiluzQ
ocHNba+K//ptmtJHeL/8o69ljqk49A9mZ3ukRZZ9htWewv5n5T71majA/lJseGv7
tsAuKYTHlSkhOVzXuBnIaGrBgF3mB0ag+9/VIlBXCZpEMdjp3C9GJBUQuxoRSwbX
3oREyM97O/rtOo9JaqzqX63S59aHPwt83WH6dp2n2hcXF0tpYff3Esw9Vg3Uq+Fp
GCSjb4jFQTu25ZbpiiUaaFib+03Y6gGrnzU7W6460cxd4iZNEPGqE1refsQGYUPC
6L7R/mkT0SBtC/8lyOvuIpzYHiAkCqdLbrVTmBHUG+a4fIP16IilIFBh8haVKqY0
pgBDyLZDVwLzslp3AK+7pusU8STqCazFISe5GPQswwjwo+J3URmQKbCNHXVRyb2F
AgwDC9FRLmchgYQBD/94rHN8+Rqod5qxDxa0JR2ZYKSUBdzkkEqYnjp0efn/dY8x
m0WUQZEy+L4ZeAmFFL/mQ/Mxk7EW2Vghwy8j8tGTogJtVS7e0GYirKAHr6fgxxpa
5BoaUSK75xybQTzWe/CETfpRlDEFmYt/hwMldfCHXwnqZxXNVHj1MN2kVNFbPfwo
Ml8RYG8ZllyOVAVgXGsV6kiJp7jKblpuKCDQPkdbE1hFBed0SKW7olUtuBE4ho7Y
J1g1gXOAqAWud+crA21bA7Uow7ZYaC0/WzTY2PrgAuS6kpVx52uUj0xqMfK+/Cco
r+KFHleJL4b8pIsImsExJv6rDKFohC7E5n5XxLLorTXB6YYie8FkpvmbWK03j+hj
Q7xwFLKWYLlPGtdhe+YpL9yiwHWaQbGUjarVH0UAZgSwJCt1cZoiL6++dp1USb3N
aV9HS0Milhbseas9YjiSoVvBXrDYEnjShJ7uWOu3Rbh4hx7jvJijLPrPcd7cym+A
tjaxFFeD0mTEj1JcjVMk3fEN0wj++oY/l+piVvYvZWvMscq83Sb6CxxDprVw8xt0
sECqmgT0yVZrbDNpANwyWMXaHs5SZm5LaW7uDIcr0egkVA6Abn6twaR12660ptjm
mcv5K+ubzRomwxgzr/5NcwSg/k8qZ3WMfV/yuNsKIkHK2UI0y49SuBuCGGa1wtJe
AenE+Zn4xyF6cpEFXNKNXFDCy2fgHQrdiQ7XawrFAPJupn1JbGXg1gBN7yQI4YW+
BuVCb07GtuU/faiT7cIxUQ1nhc1alSE/edfqAPAPqxA/MXhoC7xT9vFmvUPAuw==
=moK4
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

22
hosds/nixos/x86_64-linux/hintbooth/secrets/pii.nix.enc Normal file
View file

@ -0,0 +1,22 @@
{
"data": "ENC[AES256_GCM,data:jaTRcoqOd3SNxwmzAcsqWyuvhYO0YipQPH2K2SM5OxhWWlUHTWQXqXmuAy0+efNnZlC8xqUWIoU//XXzUq/b7Lhi9bv9WyP7aHLOQNLFZ50Rt3b7yidFA/mxcRo2ZuGUR9mGoP8e1VtiQVVuzZQbJWqTCKtxb8s1f35aZx6NjaqeBFogfhHPwsVPL0lWdaxW2aYj/iwWb65xaxhcXa5mWpYgzfvuTXCkABFhrPxYG+NZpCyG7lt8MWpJ3yYWE0OEr/1Fe0TNfBjp7cih1wvMGIBj9uZRoJWkVwn6T+nldf52WpHCRZCdLhsjXCzM5T0g6Jj1HHatiISYZY3KLVAYKj63nSS3GkHk+BfoiAnJROcE2Aak0w7Op2csbNrNz807kU0x1A3ccbc50PKOGPFAh3JaJJUc0K+pGaIZ+FJhpIT8UyfQ7/YA7CDIvQObI9X7idsWPeuU3YN8VifgsGPznLWHyIgaUW7QmUtH1+KJdO0lo68C13FFnzEoMUroxMoUdS9Bvo1ncC9cITOr3Iuvb9nWQyg+wemyTJ5AOIx7dBh81PxMBYJ3JOTmxiO8LZapyqSbNhcbpo/3Q3s8J2DhIzgR2Ty7EI2tFxoGbzvpzBpWf/c7/rWWO67YDCfmB618w31Phes0/TTK2gxjviH917Q=,iv:M+S2woApVJAglQmvr0X1ZNvezNNl/nvxKjADWWXLiGY=,tag:CT4zP0qyJtbWCBJqqS7F5w==,type:str]",
"sops": {
"age": [
{
"recipient": "age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXc3VHa0p2MVdIdHRrbEVi\ndUwxMXA3cFpDODA0Z0MyUC9aemF4U2RXeUhrCmZjSDBLZ0twRk5rZG16blorQVVZ\nRE5SNE51bGlhYTVqcThFUVIvTWxwOW8KLS0tIEVHZ3Z6VVZHK2FUQWZQNVlOTkpL\nYUpNUSsyQllQL0lUa0FaODZiSjBDSk0KSJHdYoiOuma7YFjLpssAgw8BfBo5tl+o\nRvNt9rsXUlXEwMlcmYpkgUlsSAJnus+uE9AdBSvTyFRb9Wo696YFRg==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-12-23T09:27:50Z",
"mac": "ENC[AES256_GCM,data:fuYSElvGFbFIdkQaTwNuXqaXxMuOmpT8moN9m/Yl+6u3e0sU9AMJLK95Azl0xffjScc79PAPXitILrK7gUwUdo4PvTpQo14IoSCzIQ4lcJFlrWXgn9dPFrc97iooMtBMk4hWmTzYL1mHkT/ab7NP3aE7j81N4HJcYwZqzVkdXaI=,iv:hpkTsdwJ+N/NVHEM5LdXC1iwZXT77OwZ+fM9mu3l3Bc=,tag:dxv4T9x9q8g8m5Imcurnag==,type:str]",
"pgp": [
{
"created_at": "2025-12-15T22:09:23Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAqmY5oZvXtdqhGl8COqgT8PIzArT5A8HbFwrG8Sz269wi\n7naQrwQnn3jugsUsaCQUHNBICe0xR0RO49e7YnuRN4WWaC7gdn4K9PDmTc5HLJQy\nzlVhvmrZhTHI94C1mLF0032idDgw+bvAb8a05pEuG6czghz1a7e+EMkskScRTlaI\nWKVhZ13vuXfo7dv4zL2SmP2crdrCk1gMJg3UYBBhcz3ql7qDVqV2B8MLgPtsTQIV\nDSktLAuuQTPwGke0wb7ajbea88CkGGTdDSB0NdXG6O/cskSULRxw6TtmCgL42Vqp\nnBbKfnK28y5ZXl9vLPZsLDM+T/E0qdR1nYloxL0kV0D/ESwX4dSyyRYglt9yZmAS\n2N4+7rpL0UwcmiWi/iQbOzZARVEREUlnTnX/5URFks4sQayL5Mk8gHMt/aCBvlPJ\nLWdp6owZVf8XM9e72TXOu+1NvXz0UxIC/sYObMReRQmkNf05r1nt8J71TOmtyEv7\noIURLjgeShNK7PbUoIIDe23xWiNuyEATXmw/MARbc/HSu3bHlUZO+Lx7LrQaQ8aI\n8yZC00WZDgsuOKIyPMNMWhvQOjP5bdLSdbLdtAqz2+d0hUw0PlIHXk4dOqOrkiai\nGjjgGG4OKrenkMDEPFKPW9zKvZbklglGI8mjZTFYwXIi7oILqI4AXcuHXHrFZSeF\nAgwDC9FRLmchgYQBD/wISMziWFXVsP3SRpgOO7WZY9extkRQZJd8veeHzhKPShfR\niIdON6j0SvGaKLb2zhyIIsxvb0HVrExysLyqLWyUvDMobS935jCNmHb5yo+FKMNz\nrZCxzt6vurRR9Cd3K9Z0RJkPrBQ/FyJQHQR2WMTlqXg/kXobR8ob3ix9pSh3/9L3\n3HVBvrOA8eXbajwGg/8FYmimO8zuckO5BYHdVTsHb4MpdcEINpxhBgO/STyUoKfC\nAg+IW1wW0YxQl1rlmuMkcYRFAOUE1zTrxSsA4UuhdyQ8UYF5LozM6qzNFXZYbH/W\nelKZUIUe96Ap+fXwsu4hgYoVUMzVyTO0C3ZqSqzrZmFHC5CR1EcnRowU1IAUNsGT\nmpUD4SKu9aqenr1kTxsDi0kd6i5XXHEXSQdKRgZd25ov/Q++MlDrkEp+/qK4S1wl\nZvXprBBx0aHhnIMtSV2hLgh1CVaMnaWQYn0rSjR7P4p0dd5pSfR8j4aJfn+ErN2q\nRlOpy9/r2n3yLs3lQ+GML3f2KMAlVaxY0UEu2muZQI5cjKvs/MjGVmcDeo8B50oo\nlF6SBdIMssR57D2J99aivmS3VDvyTg5ha9pvpQRDWA+LQYcDvkvRITVF4kOMeQ3t\noUF1C0ndRcr9k9fRJ95QicjpVHBj9soceYd3OgtgZJ+AX/0B3gkmejYyF/jAwdJc\nAWgbKZlvBzB2Hx+c0U30K91HjI+tpVH1ivEAAh+ogbLH3Ox2doUVis7syE4AMfoe\nCCC2K+2ODEYHdJxo4g5DtcTpZL3Xla0sdlSxn8OeIuJkuvMl3oxRI0Jr4rw=\n=2r0D\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"unencrypted_suffix": "_unencrypted",
"version": "3.11.0"
}
}

53
hosds/nixos/x86_64-linux/hintbooth/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,53 @@
wireguard-private-key: ENC[AES256_GCM,data:DBCK92h8mGxDshB5OIEbyUENc6a4jmvzKPvljUn50AM1I5vBm/bSTDRStIM=,iv:K/OiPnAlXNt3RqBiBiiZqIY8vqsIw0kmKE+aeeVhr+Q=,tag:eloCJ7yjI2tpHMxwNxZDDw==,type:str]
#ENC[AES256_GCM,data:3lP1BqtvBwyeOvq4K5HTaQ==,iv:j1xenUUIkyJDaeLlX7LGhjFdhNlfTXF6r6v2+XbJlOU=,tag:TsGKu6VfF6D8I2p4kb63/A==,type:comment]
#ENC[AES256_GCM,data:LItVBIEQVz0x8ZARRlMVRPa0vdEe1Kv0CZaEnauUWw3P+NZv6WZkXw0SjuW+k9oqlDOTPR6gQ0Aa4GoX51NRFFmtlCVU0YL/RmdfrC6nkSea2S5btXCG4pptSusmQx42Rn+RfttcLDIXBAOIDSA/kKiBYvDhsZe0XOHAzj7jTAshSeGlccEOUIs8SctS8b13OAiSs4ceuMRPz6J45f6RVKG6COgiUEav5U6RFa1ZOLv8A/EFsqOsEZ45aYqngLM0/7gZ5Wqwpft8a+7dLRmakUjTOxH+wtVn6CV7wItUJAoz6BjLR/jtDr9EUm/QesZSHhuxs3eu0iXPXzaQgUt5Qz2knxSvzsEKYUx5bPsNBSb4uWgG3b/vKzPUKKYP5CrOwvPxsqI=,iv:z1YrJmuMaiiQpAc8ajoa7A1GH5Z2D2holm3lBCiBqOU=,tag:ghl+1BN9Tyxpwr9KXre5jw==,type:comment]
#ENC[AES256_GCM,data:NmWQFYRt2QvzZSXUhOCBWtvjpCPo9bOlxEXjVJUVbV8JibPtiP+EJ7oOYEi0thi2SGVeqqbRyQTT9K/4KwmfB+TT34EPMfSxJJ/p6JbxtbVr7zcgcbD6yWdBmaxB8V0iMXK6m3SuhTKHQjUin8gkYkHeaCo60wWCv7qoUTWePP5LwS09o1to2ckSmiszm6kg0TF5TJpCcyMWzjfmE7r1Rd48A1Z6Gf/B8sbERe42K4FSF+NjKTJEMZNngvUyKuLKhwhqhh09pbt8/lSL+MjzwPvTlriDOb54ZmN14dRFDFfdmpdJKAPT48Vbl9mXRJZHzpaP5qOFOwq+Z3977pMRuOen/BaEZZOf/Yucp9lnzNSdUb3hx26Fn7rA4/AszyZpbFB8RAnw,iv:oIK0td0LJf1+6K5wlD6KkdP0HxB2bTTQ7tIfd560oOE=,tag:WuBa7peCY19021YyQparcg==,type:comment]
#ENC[AES256_GCM,data:R05LNs2Ga+spsXQbD60xSrIlCPERGPF3jjP8oNRPL+7RqJNqKAcS6/7tQrqO66Bqsj7ywuxADxie7OzkJhUYpl8grEHhO2Hsw2QA4vTHYdKtjpNxity3qG3KTUrTYsRmhGoiTeDxX+/BMOi3p2nmNZM/1TJ6o6CVO2rD2zz3dQJyKPS/6gbOyN44HTbJA0s00p/3lHvULoP/VIw53ehko+T3N4LUgpvrVQZ2LDodOtqnQUFKiJPUrZddAka5Wo0KRFNDsCz7Z5FgaWjqMeC0oZxidISbTAK207km/QyexhTGtOhu9vANvzej65fkOlhuQbUur3ZxcLdiLA6TStWJyonrH7EQnabNzzv1kSTXiNYG6TPdVb2CMj7P0SHThG9d0WvArh+n,iv:oBH5R5k2vgaBzwTVeUnjSScJC/E0yh3f9317sCAk1/U=,tag:TKwU80zceuH/Tsw8v9fq0w==,type:comment]
firezone-gateway-token: ENC[AES256_GCM,data:qucZ0VF/vR8Y7NNbXP15SZd95Vr3oYKx07JMtdfO9/bBWFEFTeC+0mFmTaNpedj+lWhgqJhtlIr/0S3drJ350iRsXWuRSis9Eiz8zz2OaqO88NOA8HP3h1UgSVG63pOkhmTpnXOezV/rK107ow0QfvlS+XLZYVni+xRZ6mDkle9q5tbmwDLQtuVZ5+BMHjLGpYezMtOUPZDeRw2+ywhYqbgHQ+n224Je144rGJYnn21mKxBRVD33Ei/ganmvh8IbRuwuB5kXlnc5Q21qBp9r81yReL+4Q0tdHNfmkyuS9LLuguaTTQlUTuwzrBCdIw7xM+9UDdsYXbdzhGPgIR3+dVjde+7k4nOZ71f7trw=,iv:wYD6ih5x4i+Z5Nj1zkQ1az0ie7qGyswpa+nuoiDbyPQ=,tag:AG9nOIuR8B7+eLr1XZOwQA==,type:str]
sops:
age:
- recipient: age1wmx8y2hs83j2u5srdnfxljrzxm8jtxl6fr0mq7xf2ldxyglpzf2qq89rpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTzZxNUdxbWUzbkp5eDE4
a3NGaWwrRXZxaXRvTmJjQUZHZU5wY3FpTTNrCmNxN21hU0dBd2piZUNCNndNaUNo
K252RGYyWVpXanZiVGMveXRnc0ViOFEKLS0tIFQ1T0dXUjlYdUNOcXJYZzA2YmtN
YWlkK0xrclpXYTkxUXFiNGMxU1NnMGcKCZzLfTPjeeGxyD43dOGDYsQVsw24cyHI
jz0B9VV07p33OP448eLyLgwpVFaNG0q+hXPH+0fb3V3foBT2QSeuPA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-02T14:09:53Z"
mac: ENC[AES256_GCM,data:YnFSQiC/gucCsfrVgcle1d9WOkDDsXZdhDem+yBWOlTxE5S0I3iFrzz+xj6aMqPH0IeEZsw+aSfL7BnCHoamJbLk5xlZ2U6UH/DdM50lBFafNF7dd25J1ndFSCB7Py4FogNLARKf2a1HiV2W7A1Ph0n3xj1fYqu7K92u2aSLTOY=,iv:yhrNVMt/HfT00bWYIsUEckvwngzglbYnbfiXasQzEOA=,tag:NwRio/QrFk/XPvF3WZDbuQ==,type:str]
pgp:
- created_at: "2025-12-22T08:56:58Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/9E8KBoKOUyeIflZzmSriaoQ2/I0EnqKd9cLLFyqFFd4Gp
ZyOfaTqQE9/NWOG3KkG3iuHyCEdHjP14QolJDPPfuqjVnIkc0hKJ/TqwWb5OXurZ
hbkFZEYtuGWXGNugL0T/BnSUqXhd5sFBJueZD0LU7xBsmaDqMFlY//iheNEgq0RA
a3HeQL9gH4d1eUPje9XfcJ+onj9yYgejQ905ZIOAyrYTLVjnSc9HKJ3kz+rpin1J
2JHULBZEzigNiFXE2XmAatIM6PNBVJ21VL7CEPTt/qauRVHLsrz4PKcR/VMTzwJ/
A0hdMrYbYRKOL0rHDYyjpoeuKsUDNV0Gi//WQDXN9DGMREG5P4PH7+yPBcc+vgLK
E7B6RJcUFyuRh/n/KPGzKk1KX3KOQMjIKUaUGy7Ru91K8rG+/EH1ker6csDpe2aY
bYjtPnjiIvd/dR++JLALQJfCuFC6pUhGAC71Bchr4U2Rg+s9pRZBOYco7pJMJubd
rkt61MYFNpcZkyQ9mYAVCd13JcmoTsAtwmUkdU098tfCVA8sMRgFF1f2DK8iyRrq
jfh6pX1/UqFtOug8hElBJHMQkl9eAKla6COQeGtZC3LkxkKhkNLTcMLf4I5Tzf8o
ftxFw1eW4174Psg9vo+/T1zcOYQTVIUfnlPuK/oiCJIAWZ2U92HnCa9pwQe8nkSF
AgwDC9FRLmchgYQBD/4lFaFk9tlyBnTWY5yWJmpcV1gPSwLyeMnax/89/Nnixu1/
205CvMGEReFEQ4CDTp+WXwp7DA3PKqhg/hEq/x9cmH0kAkQg1n9QoJcd2UzDadfp
89ABsW5fBZJSLdHn3P06VIihe516GnsDA/KL88PdkYXpElgfqWXC8g2URKW6QeO5
j/XzOXDiMdO2+K37NcbwSQsMd0pc2BAJ4mmjvjm0aZe6ddF1917WYFkOZi09clNh
iYW8Vk4hmOkGqEO3zNjQkzZ6Ra9Cm4qr1BG7k+n4sxuwoae2T14/DlCSYh/llSTw
N25tWEeXeaAtQgVwoWYLrmSdCKYtxyACPrt6uEYaGE7wbXgBgCX91HuznlHiUvnG
uagiFMxr0x4G2Q+C8OuptKBneBcR6a21q3HaGdl/99F3fM7C2bvzv2y+ZScBP6fH
LvZjF/r3qrLONCqtaQ4Kw9LPzow8wMkCkshC7K0KNRq10ww7s9kbY8io4+QVLv3p
ZHbN+U+9BheVOAF8uX8V+OQfeFdp0VTbPZa7v1mLdbjshPNi7SEhlCjrtB8yqRtd
cl2tinqfWAosYt0xdUmH9uoY7bz9+BKIZ6FVl1huP2DEa5JAjnVItyLG+n2GpIqN
1SBaC/OCbJFawPmZgaWou+kxpLr7hu6kmPdCcdtHa4TYuanLkOTk0r0mztzhjNJe
Af5UVQLJJ7tduvLAB+vh/z91qgv0ftVDq4Kkr7Ma37OYAx4VzuHwEXNLKu2C6CwE
M7sp4ZglesyABMbOEhwxqg/kCYGS76kThwkrJfrgf82FgnMdUyYCMhhgy6iFow==
=izPI
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

62
hosds/nixos/x86_64-linux/hotel/default.nix Normal file
View file

@ -0,0 +1,62 @@
{ self, config, pkgs, lib, minimal, ... }:
let
mainUser = "demo";
in
{
imports = [
./hardware-configuration.nix
./disk-config.nix
{
_module.args.diskDevice = config.swarselsystems.rootDisk;
}
];
environment.variables = {
WLR_RENDERER_ALLOW_SOFTWARE = 1;
};
topology.self.interfaces."demo host" = { };
services.qemuGuest.enable = true;
boot = {
loader.systemd-boot.enable = lib.mkForce true;
loader.efi.canTouchEfiVariables = true;
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
};
networking = {
hostName = "hotel";
firewall.enable = true;
};
swarselmodules = {
server = {
network = lib.mkForce false;
diskEncryption = lib.mkForce false;
};
};
swarselsystems = {
info = "~SwarselSystems~ demo host";
wallpaper = self + /files/wallpaper/landscape/lenovowp.png;
isImpermanence = true;
isCrypted = true;
isSecureBoot = false;
isSwap = true;
swapSize = "4G";
rootDisk = "/dev/vda";
isBtrfs = false;
inherit mainUser;
isLinux = true;
isPublic = true;
isNixos = true;
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
hotel = true;
minimal = true;
};
}

128
hosds/nixos/x86_64-linux/hotel/disk-config.nix Normal file
View file

@ -0,0 +1,128 @@
# NOTE: ... is needed because dikso passes diskoFile
{ lib
, pkgs
, config
, diskDevice ? config.swarselsystem.rootDisk
, ...
}:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = diskDevice;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
environment.systemPackages = [
pkgs.yubikey-manager
];
}

29
hosds/nixos/x86_64-linux/hotel/hardware-configuration.nix Normal file
View file

@ -0,0 +1,29 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/profiles/qemu-guest.nix")
];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-amd" ];
extraModulePackages = [ ];
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

2
hosds/nixos/x86_64-linux/hotel/options-home.nix Normal file
View file

@ -0,0 +1,2 @@
_:
{ }

2
hosds/nixos/x86_64-linux/hotel/options.nix Normal file
View file

@ -0,0 +1,2 @@
_:
{ }

21
hosds/nixos/x86_64-linux/pyramid/default.nix Normal file
View file

@ -0,0 +1,21 @@
{ self, inputs, ... }:
{
imports = [
inputs.nixos-hardware.nixosModules.framework-16-7040-amd
./disk-config.nix
./hardware-configuration.nix
# "${self}/modules-clone/nixos/optional/amdcpu.nix"
# "${self}/modules-clone/nixos/optional/amdgpu.nix"
# "${self}/modules-clone/nixos/optional/framework.nix"
# "${self}/modules-clone/nixos/optional/gaming.nix"
"${self}/modules-clone/nixos/optional/hibernation.nix"
# "${self}/modules-clone/nixos/optional/nswitch-rcm.nix"
# "${self}/modules-clone/nixos/optional/virtualbox.nix"
# "${self}/modules/nixos/optional/work.nix"
# "${self}/modules/nixos/optional/niri.nix"
# "${self}/modules/nixos/optional/noctalia.nix"
];
}

81
hosds/nixos/x86_64-linux/pyramid/disk-config.nix Normal file
View file

@ -0,0 +1,81 @@
{
disko.devices = {
disk = {
nvme0n1 = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
label = "boot";
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [
"defaults"
];
};
};
luks = {
size = "100%";
label = "luks";
content = {
type = "luks";
name = "cryptroot";
extraOpenArgs = [
"--allow-discards"
"--perf-no_read_workqueue"
"--perf-no_write_workqueue"
];
# https://0pointer.net/blog/unlocking-luks2-volumes-with-tpm2-fido2-pkcs11-security-hardware-on-systemd-248.html
settings = { crypttabExtraOpts = [ "fido2-device=auto" "token-timeout=10" ]; };
content = {
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ];
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [ "subvol=root" "compress=zstd" "noatime" ];
};
"/home" = {
mountpoint = "/home";
mountOptions = [ "subvol=home" "compress=zstd" "noatime" ];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [ "subvol=nix" "compress=zstd" "noatime" ];
};
"/persist" = {
mountpoint = "/persist";
mountOptions = [ "subvol=persist" "compress=zstd" "noatime" ];
};
"/log" = {
mountpoint = "/var/log";
mountOptions = [ "subvol=log" "compress=zstd" "noatime" ];
};
"/swap" = {
mountpoint = "/swap";
swap.swapfile.size = "64G";
};
};
};
};
};
};
};
};
};
};
fileSystems = {
"/persist".neededForBoot = true;
"/home".neededForBoot = true;
"/".neededForBoot = true; # this is ok because this is not a impermanence host
"/var/log".neededForBoot = true;
};
}

86
hosds/nixos/x86_64-linux/pyramid/hardware-configuration.nix Normal file
View file

@ -0,0 +1,86 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
# Fix Wlan after suspend or Hibernate
# environment.etc."systemd/system-sleep/fix-wifi.sh".source =
# pkgs.writeShellScript "fix-wifi.sh" ''
# case $1/$2 in
# pre/*)
# ${pkgs.kmod}/bin/modprobe -r mt7921e mt792x_lib mt76
# echo 1 > /sys/bus/pci/devices/0000:04:00.0/remove
# ;;
# post/*)
# ${pkgs.kmod}/bin/modprobe mt7921e
# echo 1 > /sys/bus/pci/rescan
# ;;
# esac
# '';
boot = {
# kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages;
# kernelPackages = lib.mkDefault pkgs.kernel.linuxPackages_latest;
kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
# kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
binfmt.emulatedSystems = [ "aarch64-linux" ];
initrd = {
availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
"usb_storage"
"cryptd"
"usbhid"
"sd_mod"
"r8152"
"drm"
"drm_kms_helper"
"ttm"
"gpu_sched"
];
# allow to remote build on arm (needed for moonside)
kernelModules = [ "sg" ];
luks.devices."cryptroot" = {
# improve performance on ssds
bypassWorkqueues = true;
preLVM = true;
# crypttabExtraOpts = ["fido2-device=auto"];
};
};
kernelModules = [ "amdgpu" "kvm-amd" ];
kernelParams = [
# deep sleep is discontinued by amd
# "mem_sleep_default=deep"
# supposedly, this helps save power on laptops
# in reality (at least on this model), this just generate excessive heat on the CPUs
# "amd_pstate=passive"
# Fix screen flickering issue at the cost of battery life (disable PSR and PSR-SU, keep PR enabled)
# TODO: figure out if this is worth it
# test PSR/PR state with 'sudo grep '' /sys/kernel/debug/dri/0000*/eDP-2/*_capability'
# ref:
# https://old.reddit.com/r/framework/comments/1goh7hc/anyone_else_get_this_screen_flickering_issue/
# https://www.reddit.com/r/NixOS/comments/1hjruq1/graphics_corruption_on_kernel_6125_and_up/
# https://gitlab.freedesktop.org/drm/amd/-/issues/3797
"amdgpu.dcdebugmask=0x410"
];
extraModulePackages = [ ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp196s0f3u1c2.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

22
hosds/nixos/x86_64-linux/pyramid/secrets/pii.nix.enc Normal file
View file

File diff suppressed because one or more lines are too long

48
hosds/nixos/x86_64-linux/pyramid/secrets/secrets.yaml Normal file
View file

@ -0,0 +1,48 @@
home-wireguard-client-private-key: ENC[AES256_GCM,data:YL/nP4DGGjVc0wRrbJ0x+iyJfdqhE90Ws92QBl/lr3RnJzA+stcz0ey/Rk4=,iv:Ek/RVzDpcT7fqVh7OnNc9QXD3Tk/2bm6vSQDA38j+DI=,tag:G2dSpA3KZmbKAfIN+2d45w==,type:str]
sops:
age:
- recipient: age15cx90pnp54xp5gxlt02yn9j2pz968wp3l5ukdkx55xuecp34e5pszjku4m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcVdIU1MwTlQrVlRMbDkw
WXZlclBlYmp4elMrTkFPZHRpMGlGZXBDNWc4CkliYkNuTnNuZzRieGlvSHV3SCs1
S1Nmb0VJaVd4MFQzTU5XVVBuQldIVzQKLS0tIFpGUjNaSy93MDVQVEFvbXZzQnJp
Z1AzcVZpVlQ0WU9pNDNoTXoyR1RGUEEK0dfAegOiBXCnLakgBtWCYb7+hDqWFYUK
rXlXTBtICLgSzLWTtPbSVzrrZgT0SAM6vnLO/iNfAIXZlxjeOZrP8w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-05T10:37:12Z"
mac: ENC[AES256_GCM,data:RcvRagYaFGwMwrV63tffmYcA/m1GRjXpefR8Ab65jaldcWjfERiCWLFha9aQ1QlWUgSvCWbgC9/zFJkBBca1qVIvLOK1+nkI/ZjQ5rdUOJaP7mukLC3tcm+5f0Fe+GjTCDHGIZd/dUgkF+xVhN2XnFW1ExzRRt6q4a4pKvL6Ml0=,iv:EISJGqa2hQfjpu0X5wMJNZXzv0Loejj0Eb6kosXjU64=,tag:S81dIphr1rqQSO8jAZCABQ==,type:str]
pgp:
- created_at: "2025-12-02T14:59:04Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAlcSjeRYoj2Hhff3PbKtUdIisAyRHtX84+m5BYeRmcx5k
gwMmitFaYQO9IL8EJHXfwIlx+7gubTCHKVDEIJPT6+jwNjWPvdvRSdmelY+xIhPE
rISqzUlbpKdkhRco0vKNX1bqfLWPqcWPREyHLg0WsnPJjAmNHNz3GKDnqFJG4tip
CDMTp16dJWAnGF9uCPDZ6CcpuP7U4CHDBH5KcGnZFJoZg0VvQhqW1uTwmqI99j5G
pB54n/nhCuNbL2vktBZQp+vrwiykb4+1rZw+CcK2awcD2Ugk0d/7KieRSxRIKEbW
COIkJRxXkc3JbLjdVIZBQGUSNTtjG3Q6pUaPuECUhb+5SyUDIpiUmpR+/3iIitjo
OY+1nDWji5Q2d0BSkoRFiH9KeZn65vduQyEQRX6B0yrElBNk7etkvPdJ3bGoJ2WX
Qwlkx0YP+a2dwEtvlKav2D6aJ+uCH2MTAVVL6wEK5a6s2QYkc39qpGhzRv83nbsU
Bp0QnJ6ZSjf/C5fAealZldXO1ZDIDpbH5xObaanrYgZ5ufnUl2Q1sKUXNljTYigB
tN5z28AiDeV/INr7e1tPV+C6RtHDYi5Rxo9lfoehvdAWkbfdl/iucV2LkwWTKFLO
istGzbaxnPtJmlx6FXq+fk6g3GQcPvuv64ZqnIv76VclWcPZDYUK/EU87LAO8NiF
AgwDC9FRLmchgYQBD/4maY4LhehaKtNMt6r331YjlsnZxcv/4L5zJRc43XLeJJjf
3xjU+TZ9RvjwsTaJ4bTeoVxu8OkFgugvRVhp9sQuu/tGfWbCpn3hWIxebivarQdI
7L0SkuHg1Die2g3YqdbpDIzvnLueSvuNDJNmyUgekR8TdWJ0A/pwl/poAu8nZgtw
hiIXBdLt5xEUOihXVJwYIoHu8yjL6aZttDyZfHuDDTcCwXdqYqMHyTYmcNdGakrl
DG+x2TgsJMtipvYHT4WqcVtOYlVAH4VfgxfmcWvEIXT5u1ZpizntFqGAgsTwQwCS
vs8vbZ5WFqQTYZL2t1U0cX7ExWWdY7LZ+ap3uZ5/2R2VkT+FdplRz12DsobWMP9z
mjveWhiZx1TPa1rf5pigcvtFSQLllrLhS79Per37EoGUArS9iM6Iyhd9avHAqNTp
ywZnJ5JpQKVDeRsMZfpoKdN/C/wqSAl6O6NQX06aY3EIYvxKF8h6qK7u/4WdlVd5
Ml4Yn18HyeTkbz616TlMLlGQMNuloDc+XVORVutVphvxI50faIwi4I4q06+7+yuX
A87uJatXS8K20mDkzygP/j+T3eSzEMB69mPLo+cbhOfcmk29x7Sg5pf/JYAOuYMS
XGlIpa/VmqHOVcbD32sm2/M3AOgZBz3D2Tr2tI2JyK4ZqW/7AIFYNhnv7siTXNJe
AXNBE4bU/FRXGOH4vOqoVFvBwYOd7Jlr8QnMpFQuBDMz/408lkIojd5njvLsu/4n
qE0HKP9Sq3XY8dP4012GbkN9U/m/ca2oqVUy7rrEhGc1gLddlISHMMjNa7GsBw==
=fGF1
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.10.2

111
hosds/nixos/x86_64-linux/summers/default.nix Normal file
View file

@ -0,0 +1,111 @@
{ self, config, inputs, lib, minimal, confLib, ... }:
{
imports = [
./hardware-configuration.nix
./disk-config.nix
inputs.nixos-hardware.nixosModules.common-cpu-intel
"${self}/modules/nixos/optional/systemd-networkd-server-home.nix"
"${self}/modules/nixos/optional/microvm-host.nix"
];
topology.self = {
interfaces = {
"lan" = { };
"bmc" = { };
};
};
boot = {
loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true;
};
hardware.enableRedistributableFirmware = true;
swarselsystems = {
info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
flakePath = "/root/.dotfiles";
isImpermanence = true;
isSecureBoot = true;
isCrypted = true;
isBtrfs = true;
isLinux = true;
isNixos = true;
isSwap = false;
proxyHost = "twothreetunnel";
writeGlobalNetworks = false;
networkKernelModules = [ "igb" ];
rootDisk = "/dev/disk/by-id/ata-TS120GMTS420S_J024880123";
withMicroVMs = true;
localVLANs = [ "services" "home" ]; # devices is only provided on interface for bmc
initrdVLAN = "home";
server = {
wireguard.interfaces = {
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
restic.targets = {
SwarselState = {
repository = config.repo.secrets.local.resticRepoState;
# nextcloud stores all data in state dir and has no data that needs backup
paths = lib.map (guest: "/Vault/guests/${guest}/state") (builtins.filter (name: name != "nextcloud") (builtins.attrNames config.guests));
};
SwarselStorage = {
repository = config.repo.secrets.local.resticRepoStorage;
paths = [
"/Vault/Eternor/Pictures"
"/Vault/Eternor/Documents/paperless"
];
};
};
};
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = true;
};
swarselmodules.server = {
wireguard = true;
restic = true;
podman = true;
opkssh = true;
};
guests = lib.mkIf (!minimal && config.swarselsystems.withMicroVMs) (
{ }
// confLib.mkMicrovm "ankisync" { withZfs = true; }
// confLib.mkMicrovm "atuin" { withZfs = true; }
// confLib.mkMicrovm "audio" { withZfs = true; eternorPaths = [ "Music" ]; }
// confLib.mkMicrovm "firefly" { withZfs = true; }
// confLib.mkMicrovm "forgejo" { withZfs = true; }
// confLib.mkMicrovm "freshrss" { withZfs = true; }
// confLib.mkMicrovm "homebox" { withZfs = true; }
// confLib.mkMicrovm "immich" { withZfs = true; eternorPaths = [ "Pictures" ]; }
// confLib.mkMicrovm "jellyfin" { withZfs = true; eternorPaths = [ "Videos" ]; }
// confLib.mkMicrovm "kanidm" { withZfs = true; }
// confLib.mkMicrovm "kavita" { withZfs = true; eternorPaths = [ "Books" ]; }
// confLib.mkMicrovm "koillection" { withZfs = true; }
// confLib.mkMicrovm "matrix" { withZfs = true; }
// confLib.mkMicrovm "monitoring" { withZfs = true; }
// confLib.mkMicrovm "nextcloud" { withZfs = true; }
// confLib.mkMicrovm "paperless" { withZfs = true; eternorPaths = [ "Documents" ]; }
// confLib.mkMicrovm "radicale" { withZfs = true; }
// confLib.mkMicrovm "storage" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Pictures" "Software" "Documents" ]; }
// confLib.mkMicrovm "transmission" { withZfs = true; eternorPaths = [ "Books" "Videos" "Music" "Software" ]; }
);
networking.nftables.firewall.zones.untrusted.interfaces = [ "lan" "bmc" ];
}

118
hosds/nixos/x86_64-linux/summers/disk-config.nix Normal file
View file

@ -0,0 +1,118 @@
{ lib, config, ... }:
let
type = "btrfs";
extraArgs = [ "-L" "nixos" "-f" ]; # force overwrite
subvolumes = {
"/root" = {
mountpoint = "/";
mountOptions = [
"subvol=root"
"compress=zstd"
"noatime"
];
};
"/home" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/home";
mountOptions = [
"subvol=home"
"compress=zstd"
"noatime"
];
};
"/persist" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/persist";
mountOptions = [
"subvol=persist"
"compress=zstd"
"noatime"
];
};
"/log" = lib.mkIf config.swarselsystems.isImpermanence {
mountpoint = "/var/log";
mountOptions = [
"subvol=log"
"compress=zstd"
"noatime"
];
};
"/nix" = {
mountpoint = "/nix";
mountOptions = [
"subvol=nix"
"compress=zstd"
"noatime"
];
};
"/swap" = lib.mkIf config.swarselsystems.isSwap {
mountpoint = "/.swapvol";
swap.swapfile.size = config.swarselsystems.swapSize;
};
};
in
{
disko.devices = {
disk = {
disk0 = {
type = "disk";
device = config.swarselsystems.rootDisk;
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
size = "512M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "defaults" ];
};
};
root = lib.mkIf (!config.swarselsystems.isCrypted) {
size = "100%";
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/disk/by-label/nixos" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
luks = lib.mkIf config.swarselsystems.isCrypted {
size = "100%";
content = {
type = "luks";
name = "cryptroot";
passwordFile = "/tmp/disko-password"; # this is populated by bootstrap.sh
settings = {
allowDiscards = true;
# https://github.com/hmajid2301/dotfiles/blob/a0b511c79b11d9b4afe2a5e2b7eedb2af23e288f/systems/x86_64-linux/framework/disks.nix#L36
crypttabExtraOpts = [
"fido2-device=auto"
"token-timeout=10"
];
};
content = {
inherit type subvolumes extraArgs;
postCreateHook = lib.mkIf config.swarselsystems.isImpermanence ''
MNTPOINT=$(mktemp -d)
mount "/dev/mapper/cryptroot" "$MNTPOINT" -o subvolid=5
trap 'umount $MNTPOINT; rm -rf $MNTPOINT' EXIT
btrfs subvolume snapshot -r $MNTPOINT/root $MNTPOINT/root-blank
'';
};
};
};
};
};
};
};
};
fileSystems."/persist".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
fileSystems."/home".neededForBoot = lib.mkIf config.swarselsystems.isImpermanence true;
}

42
hosds/nixos/x86_64-linux/summers/guests/ankisync/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
ankisync = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/atuin/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
atuin = true;
};
}

44
hosds/nixos/x86_64-linux/summers/guests/audio/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
navidrome = true;
spotifyd = true;
mpd = true;
};
}

44
hosds/nixos/x86_64-linux/summers/guests/firefly/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
firefly-iii = true;
nginx = true;
acme = false;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/forgejo/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
forgejo = true;
};
}

44
hosds/nixos/x86_64-linux/summers/guests/freshrss/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
freshrss = true;
nginx = true;
acme = false;
};
}

22
hosds/nixos/x86_64-linux/summers/guests/guest1/default.nix Normal file
View file

@ -0,0 +1,22 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/modules/nixos/optional/microvm-guest.nix"
];
swarselsystems = {
info = "ASUS Z10PA-D8, 2* Intel Xeon E5-2650 v4, 128GB RAM";
};
} // lib.optionalAttrs (!minimal) {
swarselprofiles = {
server = false;
};
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/homebox/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
homebox = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/immich/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 16;
vcpu = 14;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
immich = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/jellyfin/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 4;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
jellyfin = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/kanidm/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
kanidm = true;
};
}

43
hosds/nixos/x86_64-linux/summers/guests/kavita/default.nix Normal file
View file

@ -0,0 +1,43 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
kavita = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/koillection/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
koillection = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/matrix/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 6;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
matrix = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/monitoring/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
grafana = true;
};
}

44
hosds/nixos/x86_64-linux/summers/guests/nextcloud/default.nix Normal file
View file

@ -0,0 +1,44 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 3;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
nextcloud = true;
nginx = true;
acme = false;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/paperless/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 8;
vcpu = 4;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
paperless = true;
};
}

42
hosds/nixos/x86_64-linux/summers/guests/radicale/default.nix Normal file
View file

@ -0,0 +1,42 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 1;
vcpu = 1;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
radicale = true;
};
}

43
hosds/nixos/x86_64-linux/summers/guests/storage/default.nix Normal file
View file

@ -0,0 +1,43 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
proxyHost = "twothreetunnel";
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
wgProxy = {
isClient = true;
serverName = "twothreetunnel";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
nfs = true;
syncthing = true;
};
}

38
hosds/nixos/x86_64-linux/summers/guests/transmission/default.nix Normal file
View file

@ -0,0 +1,38 @@
{ self, lib, minimal, ... }:
{
imports = [
"${self}/profiles/nixos/microvm"
"${self}/modules/nixos"
];
swarselsystems = {
isMicroVM = true;
isImpermanence = true;
server = {
wireguard.interfaces = {
wgHome = {
isClient = true;
serverName = "hintbooth";
};
};
};
};
} // lib.optionalAttrs (!minimal) {
microvm = {
mem = 1024 * 4;
vcpu = 2;
};
swarselprofiles = {
microvm = true;
};
swarselmodules.server = {
transmission = true;
};
}

28
hosds/nixos/x86_64-linux/summers/hardware-configuration.nix Normal file
View file

@ -0,0 +1,28 @@
{ config, lib, modulesPath, ... }:
{
imports =
[
(modulesPath + "/installer/scan/not-detected.nix")
];
boot = {
initrd.availableKernelModules = [ "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
initrd.kernelModules = [ ];
kernelModules = [ "kvm-intel" ];
extraModulePackages = [ ];
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "Vault" ];
};
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

58
hosds/nixos/x86_64-linux/summers/secrets/ankisync/secrets.yaml Normal file
View file

@ -0,0 +1,58 @@
wireguard-private-key: ENC[AES256_GCM,data:oJkwX64LSXAaGXvEKbK5UPVtgFbFZSh9EQD3s634fUR155TT7yxI2YcHd1U=,iv:y666pwtBDTF7DMWx4vJu65VEBnuPBDCirGeVkntmVyQ=,tag:OZR6wxla3YYEZ2KtNbKnDw==,type:str]
anki-pw: ENC[AES256_GCM,data:CVZxqubgfojCeA0=,iv:Ux7k27srI1bMh3nBlGGkuimcJkKkmkjaNBph0X0o5vM=,tag:yUfVrCl1srD1V+3wXSbFug==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVmVIbWc3UzNvQmU5b0cz
Qy9wWjU2MlJQNWNFVlgrVEpJNE12SmJLL3hvCjhZN1JURjVBZVE0R2IwbXhtaGxI
c1U1MlJBMkdWRXRVM3cyUFdCQ3hrTHcKLS0tIGlFZE9Cc05qT0M2cXBRZHZ3L0lm
eWUxa0pZN0hyTjQxRWdzWlBjblh5ak0KmVuGpc7DA+6XZdxJDwHYrJeqs/2fMEUq
w9KscmTXOdWOjIQjexhvhUdKT3eodSEK8MD21K9ebdbyo6fht+xMyQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1kyue7mfvzuxprjz2g6ulz2mxlr57rgzg6lfpnrqedkelehley5ls3enwsd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdlBYTnQ5NTZSd3V0enFr
QjhCbFNDYks4OGpYVnlsd2oyQWVNZm9raUhzCndCNUpiUytOVTFkT1E3bjZkSk1J
enNpZXBwWlpIMHRKSmo3cHNJaFJLVDQKLS0tIDFyQTcxV3Z5WXpPWU9yZVRabW5u
OSt4dklrQWphdDBvZmtTaHc3MVlQeUUKJJD3xPgCRNqqFxPTENXfUU0CP7Jtc4m8
gJFyP/XmwC0aGNpU0iQbuBYh74m/0n3dWa39kT0RDuAVxg/dfWtSMw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T08:02:47Z"
mac: ENC[AES256_GCM,data:bZ0SeyqYFrtn5P5lkuK1aVTKxoMVpN3+CHnvMFp+bIYW3eoDTEAey7otLh8psqS+0r9KnbsDTODTfVn2fX4xmRCI2bchflcJ/O6bnGhFjx0dVlmQXVzZg8LJe4+qvFxdGbwh5yXJnE503wdF5xN6xuvOBLa0Z5yOIsmd+X8c63c=,iv:8BXVbteOxr8ZA5Lo0sGN6JhFZF96gdwy2RjLMgfWPbg=,tag:pBCPHAUeleUaOCMJgGjx+w==,type:str]
pgp:
- created_at: "2026-01-12T22:05:16Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAvuxf0dkraa6xeMfzFlVXfzr0UB8Uz67oh9WrQ+HKIOJr
tFBvGqQn2jxMr1cQxfYLmiqDqcMCKkRUoTde+tlweguea2NlviHdie9cZe9BPFel
iz10v2cfGXLv608deaIxHPoXvr11YDm74EtXI3Jhh9q8WIsjjmH3sg/Aa92Y8P+1
Bgc5lPI5lgtyQMUDTiJhLWTH05yfhSMZIbgemB3snxPY7gQS7IJ7a2j3smg/Yb+k
9SFFl4l3D7Aml6K5ZHpAh1fgZmJWGev7qXMwii86g2B+tyY99cwgThlEKqHiTBHF
RaPo4oMHQ3UjHpOjwgD22wKunL3WJWJONA81ACInkyzPJza21CNtEqNLdElWymVF
IrK5oDDTEYlOfbDWFaJlAGAueTnZgHMMp6wDmLzmzkUDSfTYMoMiMoi9CzN878R2
QA0CXa+8Jjks+lNqmzreoZjJN+Iwip3ojDo9oK7afx8cS+Gat5rU0oBY3lzUJkVU
9Qo1Z5Td2AGUlrVVvpKDZ1BGuNpNgGVQjOLwysBfv2rFTCWE6feZXQS/He1sz+9C
n4+tHppw8DQMLcjGKOcWFQKooy23SJC6ozvEhV59nKU0S4WXsMIJBaAH9N7yGw+p
+gSZvRLELJyAy4rS73+JKDozxKd1D3m64HdkxCGky9P30kuNvz6AYHLD3Bp+OLKF
AgwDC9FRLmchgYQBD/4pMJqUXAs1grPDANrJULEH7LIRQEK6O+7FyBSrQvXgFICx
Cxagn5ErwDLxbJ6Wkx8vW8hfZ++N3eSVQz2UWMemvWxcakgR6HoAHGtjsmydSzAI
qMHuKTrap2hHRqAKW49R8/9ZVkAP8IitmhsVRw6HGNjMTAh2t9yNXM6yBFIwbKXH
y6LTrLjJ+MmFY2UvkqIx2qFZhgdn7AzNbHriGmE2vSAGC8HVNTIfymuEleNLciRV
l8uoUn81E5NC7OAokCAvBX5CjO3sG8ZP0+wqkax4F1xdiNo+piD5QEx3HbP+fQpH
hUFiw5ZBBMn8LZLTv8HlBXP2GkkaYUO00yjDxkFsws9PrJOs/h/pYi8olaFX5OF+
o6cuM370tHyXC160aCOKGS5miED6yceT8ixWgj0E4jqyO4WP3RlBiu9OTOsz0J4X
ylFAHdT6Dzlx8q4G5GfjWtHXIjhcR4qOquCI/mk8WkVDDCaOXplme8Ja/EnGT/cj
KEqjebGOINZRW3e1Ip/QAzwXwxM34ZNo6ltBkPGe+QmYIpZVYpQ12mepItduaGXc
LmUxJMODx2p+sgEyZi9lyIFMq/Ny+VifZQ6ux68jPOTq7Act3JRs7irlg5W2BCps
iT/6YnGLvmQMMpEaGtN1QIuXNvpR0QxL0+5x3AxT/eu+3FXuzVDBmb2w3dpq+dJe
Ad1Ft708DUYEAjf05YPsNsS1RycS1rz+WBCx+4bku59v2EHLupK6N2jrXDJbA1YQ
F0RZ8HESgLy6SSZltZaTNfcT4dz5/RFJ2hmk7WRrhzs9k1bX9N8vdYPuc43fhg==
=HCKN
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

57
hosds/nixos/x86_64-linux/summers/secrets/atuin/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
wireguard-private-key: ENC[AES256_GCM,data:CBL7h5Ip5Fp5tnY0Cg5iRC2MKlPjh6DG9BRVHbD6wuTO/EAV7O/OpSXxxG0=,iv:WnBTR+0GwmUO++JhMd/2alVuIPhXBT50Qwc7Z9umVC0=,tag:4j5ieGF0gedQUD8SWBEQ7g==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLb3VuQTBmWXNrSkVQcGZy
bWlSRDdmdUVGYVJ5d1Awc2orMHc0VDdTUDBBCi9ncWU4NWd5R0pqMStvb09NR0Nr
NTlNc3R3YnNmUm5XU01jVmd6OE8vZG8KLS0tIFNqa2xtVk5zWmJTZC9BbGFLQzN1
aDNGUWo3Z1grUkJqbGlhV3pvNTNVREEKEito29fzKN6Gqzp2z0ZSfeTmYXnvTJGL
CZOLeeXMuaUf0jRD2hZnAJgGpglMjM4rIpEBvwCBHAUUN2/Nh1ONkA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qpgj3ell93rzkpjq0ezs6t669ds3nyxx67pj50smx597pspz6fqs4jc6pt
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwb1Z2cVNjVHNINkMwZVhm
c2dVUHRicWJBV0k3dU11QnpLUVk0c05FV1VNCkUvRS9yNml6SjczMGF6c3A1VWtY
cjlTNGl0NkZmNXFKWmRVU1ZlZFdKTk0KLS0tIHo4TmxrYm5scEdjQ1V0RXVHYmFy
bjE0WUoydVRRWDRHRkJtTEtGSHZVRDAKhsuhfBoI1I7pi/DBs4pMSiNzZ3qa23IH
Px5rvj3lMqvBuUHUhKaYIKEs4haNW7lKdVTQt2KZLZ6SUwAhmKZqLA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T13:36:32Z"
mac: ENC[AES256_GCM,data:TQWNPos7lbjMFN3w8gMUBdik0YqMjW6Wa0qBPHwrnnJZvpOJqzKBmKK4boHD/7kvrOD3yo7RKdp/n2gAJBa0+atSdV6LLf8gFBPOHFa6YWEu2adOjtayDetQiCy8G9ygjC4x/RDt25SUC/+UbgeKuoMKsjN2lOZFe+/zwAYpF0A=,iv:6l9Ev9WQZQMrLhC26z6ydBmbBtQJpJHBM/s97X6I3hk=,tag:QTQVTjOz+R19xWgWOfWC2A==,type:str]
pgp:
- created_at: "2026-01-12T22:05:18Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAxBmEq+L+C7Oq0wjXp5pWt76/ItnTLuvY2LryA17mhIzj
9g3/dAtwD1nUlWPVku7uEC+bBgb1N5jNMgo+D/9gpgT7xTwLBPP6lTdZDOlcLr+F
DF/IDuFJ7nMIbKQ9Q50wuGxppV+OscmYhOYZO4Q1VYydaVFiOa7zcwOQk9a9w09S
l67YN5FYU8jk6S6RDq60+kOHtMIIgo4321QBgq8bQtzpdz6ikQXZG12zfG0R6wqT
66JiBF2e/EfAdWN92yZtDCfsDOosxmKnz1HNe8thHKOAAN2xXyV0lSKgJ5X80Wuf
WGb9vLKpyl3tkAqf6RLumvZjTm3CY1YAifEuNmvxLL1JKvr2dOatnfV8EurpDji9
N4RTjDAdSZPKVzzv5bL7BzeJjlIT0zKP96IkmAGFCpMhrrQVL+qxs0Ov+xzYR6uu
bQc38cvIdE3xYclY6dMLwdBpAyb9uij0nb9p/wuNmLYkV1c1tOcErwq80Uban3v5
YgQ6MaJ6sNYSQNDApxZpsdLi7TG25Pm9rDM4OCbUXIyD6CrHuI/S4kfoCAOv/CcI
1SCmQIhqkc+tc4bRYSA3vnZ6pRDCzMI16xI4rc1D1gH0Kk5d8eeFtwICKFPh7IAH
p1mfDbkMg/P7yXuXh779YWUzT/p18Z8PErCvVIp5YldF0TMGjlDOTFVZw0HvHFqF
AgwDC9FRLmchgYQBD/wM5Jz6VXbgn52zZ4FN9JNRW6tapuWy7HDmlOrZSMmWPmeX
5VVDjHZ2o53J21jI/Mm4QZsoKE9+C2JTFDFIOvDeGzrvGF+VTE2EdNGLtU9HzjwK
0mFnSo0GzSoo6UtrhdI6E6Fa/NjoUXI7n7A8m4Zg87Iq+UrVmiT/DKC9+7dV2zWg
JqZIHmGMItvNTuoUcMZmYG1AQt7dke1eE8cmGyxROLRz+z4laB54pBTIlN30p9Cj
0f+vqetUwYchZm/Zu8FRPAxD/+WNLmVb08CGU1uO98aE5e6dcglGGX3qlmJZXdbS
XIwTUGEtnQfwDE1FdHdzJGmvnnNUqGRP1/Ld3GMUOcQkqiJa4qgeb///oVBqd6uh
Kfr52CPVariPIfuUVs0nlfNZMnbgo0vN7ri3Thn+IVfIuV4IBp2GXnilbzKyoyOj
q+xDuz6GkUt5bNFAzh/e+xTvXC353F3MBrxuwJ1bQ67mhEUsDwjf2AO1biejLelK
nYID80VWhSFlvmLXuwJpuB87D4CiwqMJeFwzK128VYjxk6I9p4H/4vmhGhkIDqRB
t+vzjK9eTFXdUGz1TJAiIjE3DcQHJpfMfIoVbVOamfROGlPu97owiDGFonQf3XWm
Rgwowom3qmEL17zziCqAQ7i0YxYVo4322vI/IC7u42JZjs9AK3vJdm2Vo5iCkNJe
AVLhenywDkZRvIfNlz5HdV/HdNAl8VvOWoDZGADwTM5r/n9d/6CQkk2whE/uGrMT
i5NaKF8Zgv1CteuAPiXsZsIZsqW5W7neOFeYwToaQT5mOLM5UD9Ev2NZh9RzOQ==
=FbVY
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

25
hosds/nixos/x86_64-linux/summers/secrets/audio/pii.nix.enc Normal file
View file

@ -0,0 +1,25 @@
{
"data": "ENC[AES256_GCM,data:wIROKHVWuV052x4k858oCq+xZnub2DyGwVWEKbw5lwvIbat7q7GXawrYlX2owKXaPUBGjOmktOHdXIlal2TVvO1+9cXleYtcEXBsK7ifSfxTmLzDa3aOR9c2jqFehvxUlZ0NdFcAbvy4dAi+I8Olt/29gruDmRYZGXLUb129FeO2ugdzpNL2nAg9SAR5p+QWpo86TwwUFf2Lsil0YBBtMgdVVjcPHk2CP+BnZM3PNNqh+m1fU09BNpwTyXw0nEsL7L2eMYm3bjP/A72WqJckugdX0etN9ohqs1DdunQyuYnfOeMVMYlPQKQ=,iv:O4rR6PXzF5gflvcez4kjdPr718wDOacAhxVVMvZFKQo=,tag:n4xVVTe42NiUx7Gj/52mwQ==,type:str]",
"sops": {
"age": [
{
"recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwajBWMFFQNGkxMk1SVFI2\nakJnNVErdEEyNmliRVBwZ2tYUXNKeUVRU3cwCmhWSm5MbWlBaWRYRzNXODJ0QVhH\ndjNOVkNFdlZ2VmlMTVJmQzk2MmUzc2MKLS0tIHlCalVTaE0zODlzdUlWK1lHWU1L\nVm4xWllJeStzekwyMVlqdWxhY3J4NVkKgFf+DpK5+ChVdS9Mz7Xi5/8hk+IH0BrW\n6rMWdhK4uq4leM2b9UjJf9JJSQFj5/ZDmC+WF2naewVFwjM9B5rQZw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByRTBWTi9yOU1icTFpbnR4\nKy9ES1FpbE5Gb1FTekE0aHVyYWdFTE1GUDFnClpCeDA3RnBtYzV6YlhRaEkzYjIv\nQW1GZHJ4b01ReFIvbGpmU2hMMkxXYjgKLS0tIG5tZEx5V1BnQjdIdE1sODhhOHor\nbFZmSy9Ya0FlMEtxcXRtUGNlU2VjZkkK4/ejnIqhbdC8BSDVrW2uw/Xrxh/lzX5N\nB15g52lsvdCbIrUdHzdXQwOQuqBfQ67sHpUZxCHoJvojQuc/dwB8qA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-01-08T08:04:51Z",
"mac": "ENC[AES256_GCM,data:xEn7TvlAZnYUuWOoI6e5gB5lNYC+xAmmRNdPis+2m/AGNhH+++c/hu5xfLTqYOMXfs1QhD50Y93xXCT9C60J38cFRjnSO86NGB8hITYLVVBVMCd5LIhYoAhUnwg1+6bZ+gTjvY+sseh7WJ1dbfLMa7liWwtpKEY2PbioekKOnjc=,iv:X7O1YAaFkB/+aKd+EP3HK9JHJeLb6jRTCkVKLoaNlW8=,tag:hydcLTO6vj6TIS29maniaQ==,type:str]",
"pgp": [
{
"created_at": "2026-01-08T08:04:26Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTAQ/9E5jKJGSxjC4tTGfMXcn7y0WeP6ieFqFUev+wKhv2Ko8Y\noODbbdmsv+lGF2RfgAnOUdZ5TlKxueMg3npLlSRDxCPretpkOaEjxwuhTkRK69O+\nZUClaiL/LAg7iVq8LSo/gDH4w1ObXPB/wuSguMuEqaVyqJNqIbOU+kKCy+jSMwoH\nc+65puznN5jUYd4mPKgoY0mLMYxuK+RBmRWMwDwLmRvm2ZjOqx/mgv1zdb7LZOfX\n4z5XRFfNMPV1qUo0tGC/KBxAXKie13qJu5diAZTWaqlf0s+rhZWCVdqlyEWmI00m\nUeArRnw+23uSKQgHOJ7dlqNiSCRdoKtcH1XjyQNfGMTYinnWQBSvHYuA5K6mTsEL\nQ+flp3jLj3AxlIPn4cV9KX5nZtRluSlnA2V3oY4U3amsFeJ1GhJ8+veNxd4YcIyj\n2ZY8lLfCS9saVf2tAWBdKjvhbLD9k3pTUXLNrbknAZjoVzqkkujUfmkg6oOyb4JK\nO1Q5h5EFlRyIs281iWR0u3kLyhA3Xi5s1NZWSGd51E9Kaf1y8wfGMK4xC1r0zBAQ\nMwOJcrNjlNQGfKdANkWfjnOC1RmGELJ9MoKR6TBDhtamShrdNRatFWxsPo7FX2MT\nzy2xWPx/yi/bbjjj98hyiKI6n7Osan/DQuxC17B/5FghjTXjO8QxY6ueF3Bj4l+F\nAgwDC9FRLmchgYQBD/0QnAEJRsUnyknJ+csmzHaLzYOVPXNcEaftkMLDFSrtFT5V\n2TLARxyBaOWCdszX1VnMNrlLfdMLzGO7oX2GnwDrR/K2e0m2RZ/Nj7InWFhatLUS\nkCdrqkeJmOTNVqN67jycCKthfiSp12sYjR/Ib1l8Yelf8NlVr51ULUlonaRcP7ji\nXr4UNlg+012M5sosE2HRx1f92dQWv9we9t5ZQz/y9RaDnOlx5jgFkOzbTt/JSYHK\nEoYNLfvzebwwsfuZU9++Q0TEcAQGJ0vGoqx6ijb8fHZ6dlV/PLZv2G2aFpr7A2bI\nXhgBT0e1HPR/UsLy+iqInjTNELL1DX37DPYrwCgMMQqtCuFOhm0PvHxWNHKHXYLo\nMKN5dnapaNTKbjaZxBjCEv/PGWkiYo8Ho3HAPrI5XAfGfvOQQfpNQI/vdFZ2YxjX\ncw/waW2gPkDz0UlsUeAo1FzFsu1esz7P1BIX4Xm8v+dplZqTv9rZ6o7qed+0vka/\nWIdHvYgcaSgvzhz6W0NQqGcOLaOX8pqYJ72ioEjuwXZjAaY+/ZVkoYeFHAa8Ujzd\nRvv7nYA3WQknaOeUALruaOXZUMT2fpxNylRYaGZ9sEgXbyTh7TI5x1QssTJoNGmI\nxYA/d04CAVGBvqMMT0n0TL/QIdAMfyO7iKNhcjaakgQi3CMwYxMRq/NkgZJxQ9Je\nAeG/i9KsMknPTDNndFNOO/omjosqhEOA+FxeWWbT+FHdtxvPbVvKHBt9+CBIYDru\nOca/A/eslrtYbiJkBaGzrZtskPi+opIf6Nrn417B8fl4q8QtaFK4ndq5B2YYbQ==\n=XdD+\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"version": "3.11.0"
}
}

58
hosds/nixos/x86_64-linux/summers/secrets/audio/secrets.yaml Normal file
View file

@ -0,0 +1,58 @@
wireguard-private-key: ENC[AES256_GCM,data:9elXuNwaA1gJ/KtVnlkFbovrDGmPUfiUAlzejwRzUlCL1nL5klXsjn5BUWY=,iv:38u4rFzoidMYBhEs4xXeeJH5RgnpRqdKKjbuVU3d1bA=,tag:HJqn/RqdSh5zDyxwBYST2A==,type:str]
mpd-pw: ENC[AES256_GCM,data:prKWr8XWo2jc3DBwqMcplwS5tUadHx4RWQ==,iv:jmUj+89dCc3cHjejikTfYIXlEI1K2/Uy3uSxzcx0wbk=,tag:/hXqt2ZH9pU0IY0gMmPl+g==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkVFhPK0tVanQza3ZRZFRV
dVppUzJxeDF0T3Q1bVhwRG5LUUxjNmJuYkEwCkIwaW43WUJQeGhIZU9na3J5VGdv
MUZkT0c3TjhleEkxT1pTYXJEZlk5WUEKLS0tIHprTm9OUGVBbHVCVG5LcXdiRitO
WmNEZVAzb0Z3VmlJdUY2MmoxcS9FcGsKWX4LJd/06YtoplqG3gnXdn8Q3T/TXELM
WxGx8O0tFwCSWsW1qenMWtmHc4hA5edhdgpNY0Qng1KKc/8/IKibtQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1f63r2klnpfxmntswz5xydpa75ckgjqcs2yzkm0msqwqgz9aqgu0qwzr659
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5eUkrL1Bja2g2TDAzZkpr
Wm1IalhEdWNlTUxyd1lqL21pNWtZZmVhTUJFCll2V2ZTYjd3Z01vT3NQTTBpMk1Q
cGV5MjVuQjg0N3VvSzB5OEZnUzJDOVkKLS0tIG1hWCs0K0ptQ0N1WkFPNGNnRVJo
dC9HZnJuUGF1TElMckhTNS90VzBxVTQKt9wAUfJRc7fFLwzOiPN5ilDCY/nl1DPL
0KGjEPHfATki2sq7pIjAeY7J2LWwdnxLT4/mdj0xCltPB4zCpvEFqw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T08:00:54Z"
mac: ENC[AES256_GCM,data:QMkeCVeiq7+b4ft6ykag3VO5FDqIQp0hsBTnSEduYiA0FIR4QYmDhGVHUipUSZH/xllflxMv/CXNQqtW852LWWy8PXn7GzEXn3nEjRBZi89sEOoh03I6SfQMDWYR5wjKBy1hL7e8dZfEGONZobViM7U9YynEFqYpkvd1fK97DB4=,iv:MbchKNzaDBMF/YbBxkEUwxA0Uc/+fju4dgl/28trVV8=,tag:VwfuskgULOyBdJmJ2LCVxg==,type:str]
pgp:
- created_at: "2026-01-12T22:05:19Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/8CK6XOO+aso5SPpmPytXSyMW0D2GPtsQGloehxIeSWcSC
oUKgC4PuiTB3RBKIrYkySo3a/5esJoCvB9U2oShIf8ONHHvdrqIU6+gl5n/4LcOo
V7vCy2qYs2qZkch/4KRQYDUsBbGomoEoOVachvrI5EQLViBcZ67JUiaX2vlrmycU
udDehrw9BeHWLPZ3B2cmVH4IH3ylZqFtU8xzV770IKqdCirbv5c/Rz8XynpIqKZv
dzzXIjVvWp/n0C9nLuNWj2XYFTSSDE//k3hXQ6zDXnuAM6/1tlp8Ym0/CxpRe1cf
rx2XKa41J3Tq6kJK5d+BKY2TzC9rimO2DAvvDe1dPYofQd/YGmXMII71j3xSitsm
MCyR9X4fA+MiY89kf+keAg/UggvyBPitbimvUJXiuDuSRdkMxPnpP7cNYnzPdyy+
DK6nqujDsw0JvRGyP/vvMk50hmniJTVtJtg5g6VOrfZ8wVN/8lHqe75oTy4nr2Ai
/0vKWMw78K8xsD/Sok1T9KDquov5DpLz0r8HnbfpRShSOzHOsFAgAjJrVjTeDMuy
9ZayxRVv9TLw5SDUmeCJsiiYjzySHKxw42qAVBb8XDRMTZXWoDczG0qtTpB6HhJj
ZNBpOTttnaKJDz8Njsdw36zEJnxtyRWGeR35g38ikrzaKJTUvRPx0f91D/o4kZCF
AgwDC9FRLmchgYQBEADLSYEbTJgmYy8eE5ut8SldIpx0FNlZ50cDsbX3SB7H0+Lh
nEhy8TFRm9nj0Hu839EpnmS7fydlV+ba+NztIFk7NvrDt6vsf2gETO1NJbOrGv2X
iDIX1fuSZPO0MGdX4Jtj3tgSbT3LR62mLZBwdDl45PaT27E1Kf/2N8FYcZVsU/Fw
CFxngjVm8vngjBMOBLRumG3LOzgL+AUMjfJNrIkPwCqrfvBfuAZR8QQbpnqbIMFn
Qko/qYQKT0Q7+Gc5VC6nqITuG1UegDTolKFKncr0CG+tV6ydvvMpp7GYhDv2iFrS
GK+Lc2QHnS1uzb7gWoEbemwirJ9jax1Vs51pTwH6JuxMux4CKx2V5xDhvjKqbutM
l7qGVJdfnfe7uooP9mPZMoyhbm1rzkQzN1yXkkEVl8v9QMNpCTSC/Z3WSJdhnXTT
WCz3XgOZNld8xfyP/DvmBOSIx1ywhVxPiWPcMRU/bQMFwKrapmDqEeOCT8cm8yMt
FIpBxzD/DO6qgcegWPgNPhs4GYrIxRIBUloinvDPDj1qPX0wAk/4LVm8UTG32Mo/
oyBVWu6Z+OpqfOJqIjapRwpYcaZj3GPgJR7qt6JK+uSSHQZQdBdhXtBCdIivlRjs
qkn7YZqLYC1Xfo9XbC9aQDZNAaQcxxM4bMMJCkJiTN76kIl35XLG9ggUff8ncdJe
AbcUeV780SsPhEVmokT8Dl2QwJ9ndA5IVoYue7SA4/Aaj/iy0nlMMUSWi0xzoB+d
Ztu27YrQwkHeFSoVeePm7kNScQsz63mByZn8s8n1Cu9gKO+Klo7ewMLgjkhPfQ==
=WLga
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

58
hosds/nixos/x86_64-linux/summers/secrets/firefly/secrets.yaml Normal file
View file

@ -0,0 +1,58 @@
wireguard-private-key: ENC[AES256_GCM,data:PGK3JHj/xacJgxx6Ubwz/3bQlE2hYQXM6A2LvGlI+MeRzdLErTcZ4m0jJKw=,iv:fvDsmOJGvKzfoLhJzx6kab5S2kPQ+YwB4sXG+I4baRk=,tag:i7hHSnUA2n5fj4YK0L+9jQ==,type:str]
firefly-iii-app-key: ENC[AES256_GCM,data:Wu/gr1vzVcRXm96hTvSO9bIRsvZ//2ZsTVJ9igrPU1h5dGV0fkI4rwQfb+5zhy4f56Na,iv:5+c0DYC0qVNRQMwibCpWfN/ZIiDUTtjXhKuZxMq+qs8=,tag:Jx2axAZr95/EqvH2gl+rYA==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJWkVMY3FMV2poVW4yMkpP
OE9idHFvd3RxOVM5QVp6RU15R01ocVpZalh3CjRuWGRwektMa0kvZ21ucXRCTnFL
TStZSHdLOUhjS2FZYkNJU3dZalhkT2sKLS0tIEhpRTBMVjZzcHBjYkdnMFhxYUZR
YVhteGpyM0szc3hFOGdlOG4zTzVPVEEKij1r1aB2Z1aSN7kYB+ZS7GExkSOzv6NJ
AdMEkwaO3v0zdPh1CM+4d4MwTDhtwUoRwkBjN8sbCPrPozp7wZz+gQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age17328xwk0z3znalpmma5rvp0lt5ghn5p8xfvnrtdxwsw80dqysacqj9j37q
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYkFhWjlucDByY2U5M2R0
THZhNGZOTEdwRW4rR2hqQ0t1anBydnpzaXhnCkZZbmt2MEZSSjdwUkxKVVlaNUpr
Qkp4OUVVd05jZEc1dSsxdXpZV2lSQkEKLS0tIHlNMzNlK2xVcVJVSVBlTGxtWUND
MU9HcURLQXJVVnhUbkozRUNYZDdjU3MKXGFS875yubuu5HJE5Iu1QMzdSM3BsnkH
YytEKFSIXQ+8Seu6lYSkGvdHgE3V7AQ8iamtWbO2Q7/6tUBw8EQ78w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T08:02:26Z"
mac: ENC[AES256_GCM,data:lqey6BT0Wf/manMLp7LyApRqtnerCHrPndo3w/9i3GBkpWeas9JLx6+sXZFdodc3tLjA00FF0MLm0sjDSWSz3fDfSclVNEYWUdrspH9W0a6p95GAdclJARna9ncVG2pn+Hk1QoD5EjEhvOayz2A7e3yIO2aBh8U6coc21h9L0lo=,iv:n68z6eL9UYI28eBJzYe+1QLOfkE4Fba69VgOCnFVELg=,tag:a6jli1+cn8s0Mlg65sVy8w==,type:str]
pgp:
- created_at: "2026-01-12T22:05:21Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAAmUd73XL+lkM83C7ysNjtPbfHXiTVLUu1rgd9zyfM0iiY
yZ+t0FbgQ9fiRTz7myrry/EYTVo7iCWZGS+v6qYfXvOdQfRdn+0///VHZS3iL60+
V3/idjs5029dpxQg47FS1DzwKs/Vyz8VEJz7ppOHFsuwE3Mb90+W0dccfXqE/MG9
wCfidUaP2CQVtjcLQRUSpk7kAUONZF81nWQfLcR0jJA00hlyjNKftKTasEPouiWB
QbkDkvTLYZg+2PbCx7r648BlWlR+7gDhjanDZi40i+CarmUD2zutscza9hx8H6JA
1PzYZ2BgW/A8Dogtmy6iJ5INB4Eyd9FiIr/CG4wizWbB6a/0QY8V9+iAI4aflvoU
6/HQ/BYSgqd/C+NjlNAXBBEjSXhrFbtEo1K1Sb0Z+Q2OKK19sJrrv8shGl0gtUi2
xSbVUUff2KnIWrX7tpNdveAkpX2Bs1ijzHxnQOVTwJyKetUoxVZB3ir3JnWqTfkF
XQwcJawvzwN7wHRIasBUh+FdZZSDsM9ujApKJiNKRz4ZIFaoallV95+YyU5cl00Y
g2wVfDgXdwnBQQKxa0NqNC+DGdEKc9Tfv01nz90rlbEUmTBKWD+sZGm/rsq4NV7c
yBqy6hLkE516wT0F6Z0osMtW8RmTARx2ayv1glwdRVTo9Qs8RkDxjRmy/r0/2dKF
AgwDC9FRLmchgYQBEACGlxYcVJzuJZn+oSMxRtirnpFNeKOgvlbgc5Jy/HmCQBge
I/h7QEaevr0XSmPc311OekXOWIVF6JOf6HJQsN0W6oU5uo7fXecqpEG5WqVQjouJ
+sVxcPAZVGbbhTycf9VXySilGXFbCbiM8nBHYF5VrCTrRYpnmJBnJ1qJ2qfzG+4C
Iys2UQHymHfumz5qj28VDv/j+DTn0ZbYEbIE9vhhtYngzXOBYkPdOX8YsWkQvGB8
AhCO4OMGNbisIjufc6TTrVO2edqt2JcacXrSzOHj5lNpGqpK45a9lDKjm5eQAO2V
SJu5MPC5S9lLn4SjzHGMQBAr5WFH9GcftWs0WIPrPqJxRVXQt/av/fBMrnsoI0K8
XEfyfOL56KcG95xnXFJzcgQJ1RnXAQzGPVv3fPvA39EyHDUu2VM4hN167+Y8Jgns
Iaxb2xMl1qXB6dUD/8mpyCzXdsp5JtK4jPGfOk6A2Uj4EWALbTpGhcGuPJ59Qe23
Aao0N5Q6NU0EGzzgHMu4S+VMWk91Tol9tIgYCf80aXB30lQ1lFoXWhnItg7jrm81
a1f+f25UKyDPQBMFmNwbmp4xjEsFqOTvGJJ1K3lI1OCGNnCeKuonpcBZlH2FovLi
c9+P8rvmmzucTndDt41ywXNaSqDl0yB+Qu/rTG4ov/17Y0vZ9sUn2kDJlfEtbdJe
AfHjxuXT9nVKeWi93hFn1Gea7oOXMeh18KqBMS440ZiymFrR5EPadXSTtQiK/LyX
6VdwX+N/bGLdwMN+AQ3hMe/q5XtwaXle1MGTFqFdG6OjHlQDLgxng5gAP3k+5A==
=18JY
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

58
hosds/nixos/x86_64-linux/summers/secrets/forgejo/secrets.yaml Normal file
View file

@ -0,0 +1,58 @@
wireguard-private-key: ENC[AES256_GCM,data:2/usWvtboQJ3Yc5ixT/7ZUvk74aZqYr7ZUZVE78jvlSZzfsMrXWjWxC0Bug=,iv:4nwdd+4Cr2Kjbia/5s0f2C1O6vyaBxQR8TUSKyAqJhA=,tag:ymJLP2d6SGgVsw52S7q6uA==,type:str]
kanidm-forgejo-client: ENC[AES256_GCM,data:0S2Wt2/hP8e5qMXgI2cM3GApWoQ9pEHwiA==,iv:Utq8Q1LWk0TefpcwhSvXrulrgslCSnPanGGHSMPi/pA=,tag:ou/1y+DtFi/z4P54zzZ2Uw==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZZmZSdzdjUm1wRlo2aEgz
QVU5VHp4OGJsZmZaaTJOOURlczgvd21oM0RvCndQM2ZHMXNNQ2dnc2tNU2RLcFRx
UDlUZlBTdmZSR3dRNXNxRHc2a3cwdmMKLS0tIFZLYjlQdUIyTjM3SEluUVFyMTFE
Ly9qUUFqYXpDSGVrN2VkYmEvUkQ3clUKpgrTAWRPGuwyZL1PGVBhskPLxXt/j3Ez
iCEGbfAhrVeXRZuX/KXhjzefrjfrAq8ClZqdLatWF19L9lrVU8ytDg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1qdzkn6v3xhrfjwe8jxz3945dhyyhevwal0narjtr8whf9y7nh3wsn524u5
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaT2EwNlBDMHBXSEhNam9W
WTAzWlNxTHNoSm1ZcGZaV2liN2E0b3UvcUNnCkNOQmxXMHZveDgzVFAzL3NLRm1M
ZlBVUCtpUjJ0ZzFEL3N6Njk1VTlFUDQKLS0tIDRKRTdHcUJyRUZ4RDZHN3ZTWXZT
Nms2RkhTMmJyVlA0WWI1Y2Q2ZHpXV3MKQKvjzOvay04EATmgojC72aqbhq83c7jA
0guRoaULHaszycMsqICteNRn+tdLBh8L6EHXZC1GlJzm0e9WMeAOsw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T08:03:05Z"
mac: ENC[AES256_GCM,data:Ko12SPrZ65B+T8JIERI8a08uN87wwVndIweIxbr+TkcEsRyLCPziB8tMsTGtDIZkTG7dJywT/SeZ9gqnMgiH9mvsk7Uqi0hrmEf65fsqCVGTOi17DBRGS2rwbXkEmT3xiSL2LSe6+9rjlZ5B9ZUfO3hdhw+jy7rSdcaLu7R8LL0=,iv:GPBDabdBLbCYuKr//XlC578Mpw9LGJ/gM1etek/PtWI=,tag:5/qXhTCHxiCRka4N2qYVzw==,type:str]
pgp:
- created_at: "2026-01-12T22:05:22Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//WFYndpAApuPwCK8Xotduipm1kp1m9/7oy5q3l+WDHR2N
RYQyVUPYSlqzLRfRd65xgy18MHZwUP8iavWU0cnKNveB2c82rMtMRrLU1mvHPTBQ
XmLkSDAepqhbcMcXfVpOQEDjcesIKNMqLiiZtmcOPFcT2RvoyCovx3EKxlvPd4R4
0CGiAiApgxz2XSOLoalzHF85p3I0/Sfvf/V9CfZ/oB199PCYF4qlPzq9Xn4D28qT
67EglnxyFY4esd+9/QRt3B/5RRmzVK4Cc3+JxFO47V+PbkFo+GvF6tv8eUakzCI0
Dn04VvLsQ9HhaZsjLU8WoX0GRrLjDD/1TaLmM+JFV6c97fN3IBGBSKZTdjOt55ZR
F/oAS8W6aOuqPSr4PaHEOgpzLwpu8IHZ4FNzjeHAGYlK8QjRGpq8Jm/Lz8A9Buy5
XLS47JspVFLIU9FaWzOBHn6IIkewG/b3fM1kA51f3OFP6RprQ1OvX5g98epW8Eea
M/wFdVMU6HXS8FLAhQZ8Sll5iO0SYyzDM/tgXpXBo5/gjU17Ry1vkzJqQyWmuYWI
UqqxzHnOq/eUJIiXS8Qgkxo/WgMAEEJxLfH+KALzO/KD5PsIRmriSXVGJysXP3lY
tiJPouhDTt4+lapMjipV1bH4kHPoPlfr9fY0t7YSf7NOC5mDNqqTjSYMZXY8UKiF
AgwDC9FRLmchgYQBD/0ccxFMrAOMz4eXqQQXwTf2/nJh7Xz7GxgdhbiPprKDVSoq
mcnnyMfHTAFahRYdCczU0sIj9uX5CVZuSSCv/PqjeSZb+L3ib24EhF+TxgqEPRer
XruneHFK9yu1Y1h++3Li/77DKKDObnqgCZGrdKSgIuakkK2Ki6b9gcaTKLZN5Wmh
tE7zpYQcnRxGW3GdQAuOShsfPZqEO2YIzIecitodPxPaO8PzqTZRhoRclmL91MDT
MtthC4ik7MDEV9nz8oV/u4pqf1j+xJZ23u96Kl4KkowIK7rSE1OYU4onw2mKXgNR
FS+3xqw/BFXgXMkXW+F9GyGPZkxCWuztZozIh9UyCiOErpzPDG/5Hy7v6BzzKaJQ
YMlukdhUw3B9ciB86lKoJSgiZpHeU2J8LZ649lGQXNlplEZnWOkyWWS0/g1Bt2VC
B5egnFOA2ueFGWg1VUzKcIFq/DsqMOXnUMh63KuQrAIovuQnYLyDavGt2Il1LVHj
tiVE5svsFd3o9JyUE8YcP0VDKTcbr/kVJHYA3o+7fLtUD6TEdiQxp3Z/ZPHdCftE
o9t80iekS8k5TYOJ79XWlGw7o+Ip9Zh4G+NpHmKLZaLGrnEFuBMnDRVUsU0CxG0S
ZgUbjLwcX4QxdBEKEgnDip2ink1IdciSlNBpYX6btRt2EPDz6bxISGsI5kTKZtJe
AV6D7C/OYyDUPCfT8WlcDfF/hGiSnf5NWeIlZQ+g1DOuEYDt2jztNFhziVvhsQoO
VEC3iYgq28WyTrQog+3F/ktu4x883js1bbtFZ/b6o9ZM8oKbfuYtUO0v/7CmCg==
=5YlB
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

25
hosds/nixos/x86_64-linux/summers/secrets/freshrss/pii.nix.enc Normal file
View file

@ -0,0 +1,25 @@
{
"data": "ENC[AES256_GCM,data:tGnvFaZgx1Gi59DYlV/4+VswuvBY5K/XN6yomaFk9AnsslowtKAPKHyH5dM5rqe0n+Ua7kI=,iv:qwXybQUGanHXQXzDU+jJn/FI5mmi+PNUOCTsh97tmDg=,tag:jQtXaFNJL5jeTtSodMCmiA==,type:str]",
"sops": {
"age": [
{
"recipient": "age18cgqlely56hgmhscllkmafwpjdk6dwep6ej3vkk97dzemp8jtuksqrrjjl",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5TXJSbjhWcnVqaWlKV2M2\nQ2lNUW0ySkh2TFdLblhmMWxuWXhJSndFc0ZvCmkrRnBxT3VRc1JoQzMzWUVHMTlr\nc0N0R3R6SzVwOHYwQXI0eFVOakdQWlkKLS0tIHcrMXBBS0lRTzN3Nk5YaUhxOFk1\nS3FpRXFQRTBNL3hRMTdlSlFXSUdSQ0kK3OhWMXUSPhfADCmiuRfsIv+GJ0SY0sar\nVchVKmqPjGg+ALF/krwjaIcE2zrlK2tsngGja2rO5vZ8YS5BFzVQ0g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1nanlervuderw4qskcuessycqy2yfmptl6nym9scgp9ky2265ssmq3u73r0",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeEV3YXJqaCtoTUtVNzho\nNk9Dbmd2bmNXTUx2VS9rNzVhTmR4WEM2Q3hBCmo4QnlMN0ZuUHRvUjhZTHdET1o2\nTmw3TUZTMEVCMGpja01TSGRCTTExY1UKLS0tIFAzTDIwRHplNHFyMkVmUjVxNjNL\nWTQ3YWRkVnJoWGRucTJHaXpHMUN3VkkKFWSY1u7Ksv7SO04f0pzRYSk0GWz0lvXv\na3Pd+lGrH0q3CX1i7beq587bNgqxTdDlWzsSQSAxWkacqwb1eB3KAA==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2026-01-08T08:05:49Z",
"mac": "ENC[AES256_GCM,data:sIUIH1PfvCnm2nlmUOCHX/CihlLTcNP6PWCRH3tqpwS13uYF1DHv7Km0DiZJ48YOBbCiXNwEVzCttem+BXCvi0eDkqUasAIjBOmWBp+W9Z8bnDk5luztxLeb6OKqO5/8rrR+bXgb5Z3cRiV4VquVMA0nOkHq4f7HvQ3UyTWtJTs=,iv:hmKYcWSfdnI+mjUvH6zO1PP/wDj04H454arzROjs/tE=,tag:zY+CBOj2DNRhKNkdwnYhPw==,type:str]",
"pgp": [
{
"created_at": "2026-01-08T08:05:35Z",
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwDh3VI7VctTARAAmEfso+foaYdccWYWrumexWByHdZHdC2PzyiIWWUIddY2\neXifkUu4/x5lI2eRrAGqUTJqbtwlMloq4uUcZChkTRXhOv7NLLstnE6PAfhsCOOq\nG76DjeI3cVQnFdIP7krTHPyZYBrk/iq2KAh91EDYQnmBBKy8RT77/b0tzyJgpKOp\nIs1YqMQfP6RQJeDJXFGJy+KljTsyn6lxRjQ9Fa8N+UmbZjX8QW8ZNU+Za9J/r+5u\nlznZ/V02jB2tRpOOnJSORrLMy7mIMBN6j08hbb5T2dcHQUTnz9VEJx10FTHCY43I\nMFGzt6Etv1Pd/TkGQILlY6goIeyTzvlfa2Kd+M0N5YzA64MBhOHCJ00yB3rIAy0R\n5a6BWl6t9zlU+YxMTaC0bZdclBp9E/4uDJBVHWcWTRHKgiYndFbIq0uc+FUSQnXQ\ndXM7f6wSLOR0Gk8pUXSGyoi8rTYri5DKyVeRg6H0JddIkEKMLBx7UD9Z1u9kFpTE\nqlJuYip+95DSr7UbE3WSuoFmX+ZHv2XCK+rW9k8MNYu9EY2VbE+dmHCytITpdrlU\nJyAHfIvzteRm9Ub5KyYkZU8O2ARfP7V49p4IGZDVPM42IcERbpmYUORi83e3VlWt\nllYrORH/l4qYLd6LPQJVhPOguNlHk5GomWo5ozd1AQWmLXbX9E7uG+zvo3QVAgqF\nAgwDC9FRLmchgYQBD/0S7E4be6vcAb9P9WfwPWiYR2SGa5qZCGsgnXmroAYft3yc\nxFM0T/NP8Q2sFT4DU8rn06jBQnKG9sb7hIfMTOTbBzrERQEPwNOOlhRMesM7DlIi\nHG5VTvkYk1k3akYjk5L9WCE7GMU6ZUb93K3DamESt1bxwdRm/UwrcgdbEu8YHX4c\nm7rLg9T/f4OVojMh/gKZ9RrwkpZE+d769FSOql42gTLheYjGWarntE9TMFZGnOZ3\n5KTvl8AfZwN+j7/LIu/6EtMhvmHy4UHNR4wiadY1ONQ1hlPPapBbFdayy6ap1azb\nK4e1vYFOj+8FnDO0TUGidZM7JUoOSb039Tc6lcI6qc5dtusQTJyD6kBX7BJq+mgU\nCDbgMjmLdSU8d4nTHB1KWZimIDoGvste0+sF6f4cBHfYW+QzqPikYlw8TdZvRQ/1\n3Q01dEgg7LrgNBjMSUZvfaYYkcSz+Uqkhs0vq65XLmAMfGKIvqFrqPSjRuJ5vQV7\nByrRj+rL36th/3Jew25sBbR4RIjo4otfSWIga10epijVs+14D2g6c+bKPf3vk6ZF\nT04KP80pLpk7zTlYJI1OqxJFLMiONZs5LxHdfNSMFGw9euHuODQVPKZBE5c52KhQ\nn05tWLkOBzyiiAd50fzaVQxa628VBhCHFlIG75ZC+wCgV+urFasooBRoUhxAntJe\nAYhJ1fiT5W/vhYZy8AVDnidVPv6EpZ4DwF7E4wm0rx/Vy/np2jXiavraMGEL/m4/\nM62snldKaZgGFc6K8DTZdbrGBGySZ2LvAP8QYNGckQ5CW/5CiCCS+NEqEVKhZw==\n=FEUR\n-----END PGP MESSAGE-----",
"fp": "4BE7925262289B476DBBC17B76FD3810215AE097"
}
],
"version": "3.11.0"
}
}

60
hosds/nixos/x86_64-linux/summers/secrets/freshrss/secrets.yaml Normal file
View file

@ -0,0 +1,60 @@
wireguard-private-key: ENC[AES256_GCM,data:NrUaY1DMA+fOLEZ9kPJmrCIHUDZxg46XFjcxTkt2Y11WOTl1ky4BYEXElgI=,iv:VAPVXRtIsHQX2DitGwy24dK+9zq2IY0nL7BuZvl8xXw=,tag:bKC4BGI3CDl7qhM80ak0GA==,type:str]
freshrss-pw: ENC[AES256_GCM,data:nOwhGTTUN9tJkU8=,iv:6urp7o0LewW2yQep6LGEWUn7jxk92pLClOwWyT416R0=,tag:5V0xDwwjeEdIlaU0qNJ9nw==,type:str]
freshrss-oidc-crypto-key: ENC[AES256_GCM,data:nEoIHlKXpgKlJ1iFKLUdb6QVcU8fMRoZ+oghGlrnH1q39HjBrNrzmA==,iv:7LWlVkeaviBlsU6aEevF/icHgROR4uThxCD59txUmTM=,tag:P/+UQHHz+t8BckaWhjKYig==,type:str]
kanidm-freshrss-client: ENC[AES256_GCM,data:BTPaUyI7qrBpiB+0zQKJw9odT0fRLc+zFg==,iv:9u25+thsHm+0Ganm0z5QtsgFBGccpAIPQa0aYqqHkXA=,tag:cgCvMIs7jUMe7QiDPznbtA==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCclk0UDk1MDhkWXZZUGxM
Zkg4SVdpWmYwZGx1QW1uVWYzU1JZWUgzcVFvCml4RjBydWk0cUVaUkVhWENYSE1G
RC9pTHdPRzBNOEVSdUZnWWthQjFxajQKLS0tIDBtOHlxRTJTRENIMGR5SmUrTWpZ
RElERUIxWW1NZkdLa3M5ZkQrMkFuWTAKODsEiS7hjvztH4YYkiK8Fr4Do+wbroun
5SGawFG8NmN8P0WWVURKpDDafP4plVHj5YOkoAZJXgo0NyoOLsXjmA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1etgfym5m8hn3hxs6cgg757zcv5zg5n22wq38fuq59n7qk7nef5uqyg6vvs
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUW4zTWhQOTEraldVeUp2
ZHpVeStLRmlvcCtpOHlGTDFYZWVKYXpka1JVCk5IblN5OHZDRnZid1RwenlCRlJh
MnRYSVRXcEtyRHo1M2JNdEJHTkpNazQKLS0tIHUvMkUyQ24vSk9hWnl0cjlEQnlN
MTJsZzFzVDZoZ3lnKzVLNk5MZ3N4WmcKEziK8e7aqxGqJwOG4s8jfUmjiL+gs6sY
KEI5LugBaF66fAB3Qf9RX3XaaWWSQ3C/yuiv7h60kE5tEZLPtZxssA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-08T08:01:49Z"
mac: ENC[AES256_GCM,data:+RtsIjA8DXxCGeTqsb24DQdP04/8oEvviiYp+SSfvCiUL4nu/WkAIAHdcC+Gvw379vnq1N38JPycB3mQbyabC2lUJ85oEMmfn6YDdsoIxvdDuJuN5VGhLkqXdwgkfJZU+e1XUDkGmAalWeNFTlE7i51qecVevdjPf10YW/V1QZw=,iv:TEYHADkS50xgUCQ4ftWv5YcIqSX+cYgeNbPxSbp0+fI=,tag:+PoSBjFfV99vOZIkNJaXcQ==,type:str]
pgp:
- created_at: "2026-01-12T22:05:23Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//TVYAbB7pn/T+SaE0DRIYBFVG8PAiyh3zLt3LcJyYZcwy
sVqcJgbIMMTDqJck0XC/RCzIAGhHiSai2rK/TUh1Wm+xQxPIVu5YnmP5mZlX6jVU
EZ9KRuzBK2Kc6FTbinOR9KZlxHKre8QaUNKtXReha4J7A+qQ2wqt41uKupXXGGNv
/NejcbMjeyBUQjkIzT3H5bVZLTOeiv4/tc66Y24p/pz3vcSlUO0GubJ1/sbu3B4o
K/NZ2HC/OchsBJt2Y27PvEIbZJEzY7ysW9tOs6TNEBTCgx1o86WxeHAxvyx9PRGs
6Rx2aSBLSiZe3AJSauOVmJJDQ1nIOg0vHAH86+vLjqeXGAAvJgJOOTo+/q9M059k
xKYmXSI6LNnqu+6vGPHutzv+oO/6Gv2vSy8n7zO1bahlAndluFMkOMKzkxqooCV6
v6a1r6slW29Z8UeUlG1iRV5634NvvlQBhp4ig9euKwq8FEY+dz6XUFqnMbY+auE2
NRwVstJTriTKuBo8stXP2tyvwdpfMem4A5ZSpl6kowx9gvWMiU7aG+U/CLEMHtHY
hWv66eNnjC99tLAJ3lqH8Bd4UY0m0i/P5NFZWRASESay/NSa2BFubNYI6krVWTo8
uLuvUXSnS+QmlZnr6Bj8nuKUto7naMVkRbiT7t/IMe2vLZrX572c4Ye4/oJJIXKF
AgwDC9FRLmchgYQBEACLXg3KxCtZvfv9ACfHU0jR05aq4vq6/RNwb82KHNNjHSYb
LWSiEkBVl4bb5isRv4EK3CpuuTL1Jv2XIfmd/NjHjZsQRAu2gBcmftXNpBzX4VwT
rB0mBBKGyUWdeleGPOyXvucrAjOqJ4gOVJxrGp2RUbPcUG/aqpuSbmJFx8S5qpsb
ZEdMdNLVZfKzzP4Z7fpPuu5AXyJ+O3IPpFqvChdM04VMYAECGhoZZzIt6UIHkzrO
BBNaXLniznNZ5LKArog8G9WfYcC6egmEP50SYygGok+66QwkTdM0XttUq2M17KwP
xA2Ybgh8JuSI44LJOfx6zeLQqku0hBfmVuvyw9YVoicoZisN/jJYtkk9XOmILlPk
Fw0tn/cy6h51CqNbweGY0KTDxY6pZTEXP21CyLqAWQ+B01JB+zuEq6C7MEH+bfZU
L7Z61tN+j64IRvYGf0YP03Dj4D1vsJ+zp7asQ41MFu5HpAzfU7xcrpa3EgGRYxkT
6b9m/eAyf8+olEbzVgLC0UkzofXvJLjxuk4zmxdF2WOuKoV+yt5kFjXQGaLozqTN
ypbERn5QCZ6hLYUFOvsqw9avfVLRPVq8JF1YLKEQfVjC20wo6BuwcosbwLeHLI08
NAHCLHC/6iv2/Fji/57sKcy+qgoIYOhAvWE8wtqCU75379UUIORNFaERaqizy9Je
AXWoZICaEAb556k67dLO73IW5/2yhNiYGzMluHWRcczaKaVmKzrdjjFKhFx3mMof
SmR3Ga9QprYqOXas+Ouok4Qe/zj6YCW8BUcDHFB05OUl5pFRL5ksTNh5V1WrlA==
=RK/j
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

57
hosds/nixos/x86_64-linux/summers/secrets/homebox/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
wireguard-private-key: ENC[AES256_GCM,data:uDvv70RDyd0DEA0IAowsBLKew2k1TzMPmrVmIW1ZuMtSYxpstq8x5l2MPN8=,iv:02HfUl4lUkhlBzgOfvv+hRoyMMAaGcf9PooRAZzgjK0=,tag:dL/qhDLjzMP/4ENUcF3WHQ==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGaE9zbmtDVHpBd3NYcWEv
aVVFVmlESDJJb1ZhaDJoei9VeVRQQURaanlVCjErQ2FUYkhyajczSUxSbmF6R2Z3
em9RVUlnTHdrNXMzRzIvOTJ5UE84RFEKLS0tIDg2WFNQWktUQnAraW9HeDB5OXhT
MTMzMW5zWFloeGxpeGpjcFFZQktJc0EKnuwMW7Zrtr8XZCJM2E8M3WcH+0Ecxz6n
y1bQvo329+Ssx6Igf/NYLzaQVtTgrjrAVgQb4zSu93Ofa8tFRHbcaA==
-----END AGE ENCRYPTED FILE-----
- recipient: age17mugmkdw0y768a3huuf37r45eff9apyknxvwk3agg6xzsjmqp96q57tcty
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJQ1F4NkdvTmpwQ2w2YUVX
WFV2MGkwb1dGT21Xa2c4TlJiZlUwUmgxWHpnCkVOcGZVV1pRSGhIUDhVUXRpM2E4
dWRKM0VNRTdqN3V1b3hZSUVCRnEveXcKLS0tIGN6b3ppcmg4VFNyNzlSTHY4YzVh
REhGbStZeENKNStwVEZiZVpPRGRmYTQKCBks5jrHBOT8xMGtssxM0ojTED/j3KWP
d3vcpKALxweAgdYExZBYrfg54gL+swAqEB8rLW13+ZOB1xskrg/HkQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T13:36:38Z"
mac: ENC[AES256_GCM,data:4ZeARGvSyuzNT2vFJ9ou0JeZ9wyTU443BLHINsEzchHDCB/xlMjhrt9N0DIX+EfkMZiRukUw5C56HNgBfD5uEBgt1lbdBfLQOnUgVlP3EC7HXPZXYEOtS9kj2j2VTBHnGFOZKDiBVgQNJkJ6QBmJtx2rEwQcCax3DeHO/RyLleY=,iv:sCrpoKKTN6X6GoxPQvSaCaiY3b4o9QzLWCus62ltLwk=,tag:kN4UXDS68/OvEi8ZYafLFA==,type:str]
pgp:
- created_at: "2026-01-12T22:05:25Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ/+KFmJTYxoCvXPkfwNcE0+ikAQ82yGFshGAdcF78Hw0i1y
CxWY6qhMi9AmJ59Omqkh0IVHqETUicBLoEGvKIZTb6KBf304TYP6DYZs9+Azg/9O
acdJDz0rkYDP0c3CAKGhGic66acaxxiRiDvkYuYNtpiR+vzvZPmG07SDBw71uxfZ
GKug0y8+6i2vdQKx8ddfiNwey3IGTj6o/B1jW1f1HeRno/qfRjmb29O9HF0JcAnD
syWa2jjVY8hz1CcxErPx3iA5U+I7L2wMj4mIIG2x0kJo3hKRwnkRGG5o5pi4RbAg
tzR5t5Sg8TsLWGA5Btx4HJkTOIVEG3oIuwBUGwlGu/f5U43KCt8Pyf9wmQ9Zy793
aDLTMpe6kQP/23vkzVSKQVPduNPMntvqmDXuq2iu3c9reO++Cri5z/uEM74gjdTF
b0raKr45o++YaZwbU0iCDSkUY39Ne9IUoqyiQTfKCS6VqtwzzpscgpzwV9ND8O6l
J5ynTpAHBQMUF91Tx108b7F0BKLs+8I/t28ehqv2WdkxvoNSfmHGwCmIzKuf/C6W
j/sIjUAFNU6qpjlYVa4n9Ko9jvmM2aL8WVO51QSFiqDT7OOWAr8vYKdYRaMOk81V
NIyqE7lPlR+MKBaYW+LJfp2JLoyYlvi5vrVnfZuxxVw6HWzf0ejiIDiTReRbg3CF
AgwDC9FRLmchgYQBEACs+xJcoHuykH7AUANoOgya6GKTENYbH5ICGmxwxGQbtA/q
Vs/wqmK3eWkLLOqiGKKHdynvUx1/jSUSqxSUtLY/KMb3905MOH8ar84K8fgJpPQF
Du3SJFWfuZJ7xni2HNLrmaR57hl9DN5evnJ3U043Gey4b6BQV4jeanvNCSF2F8oQ
v9Vc1EKZM02Ia0NjtYkDHVoGyjTKB1su2ah4vlyD8pqyjMu+WYtay4lTcWCOLxKA
ivR5X8QWfm9jFuINTTt8YdLkx9KsM9ecc3+NDgYOVY9RbrnReOaHPgYjmEXddVd8
J+ok/ekoIw4wa6w/fiRYjNMYYAcenxc/mVBBVE10jeDaL9YwJUnwaa+8G/wGcrFL
iWjI9BeP54YJhpI08oaK3UWSFg5673XX6Na8p/pgbxPyIT88axoqNMU80VW0mvc1
rd5j1LQiKNqDMEPV5hLbfBlKYrTzIG2V0F9YYlh9NWMzOyUdHoMmY75AmKKJB/p1
M/Mz2ILI57ubuq3Oj0MAkX/fOsNefVs7VmTybuAdI2lViB9FzBGtb1TlFvTmW5LZ
cu19rt4N0vxfcrAbLhsVTAsA1zKwAnyQUSRRd9aRqXPVCRr4pPTLxEOZCPHnCBDZ
tTX8/27F85sUU4iozC8Nb8O37NRy7sRWL4BfPLeq9QWG8n7XmnH6zAn55V93Y9Je
Aaxk9LcteNGywk6hxyI50cBir4PEIEwQj9oRwy0URH7UIX7BUojRF1hV+Mus38is
Va1BiIOCn0YHfd7tBeggbjV5A+OkD6exDVCZBXaC4E7Ueoxd2udaYXsfHvjABA==
=tJZv
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

57
hosds/nixos/x86_64-linux/summers/secrets/immich/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
wireguard-private-key: ENC[AES256_GCM,data:rTVAsx0XyI7i1coICpFjANV6CpWSjDTlvdOxu1yLggei/XZKeRuDmv1PsE8=,iv:P0S+juvE3LswavDMPpoxUYkKCzGlYaaEpIg7DBwvoc4=,tag:hIrOXG4F5qkK10VIjtiggg==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoYXU2U1JseXZLZEVOanMr
RW52NlZJcTgrZTRpQkwvcG54YUFqYzJkSkZzCnhwczNqeXozSm90a2RkTDBiZnpW
RUpRUFpHd01uUWRhMVZ1UnBJQk9SZXcKLS0tIDNmQlF2YlkrWmxwWU5wb01odjdy
Mk93dFJnd0tDR1BOL3RBa00yOWd1OEEKL1DJeQo76MdgbZlq2N6yribiUtlD3wiV
1UcZWDnGMM3uC7LjdR6xK2qDiG64SqWhlo8FSrHLL/42GTJ/1irfXw==
-----END AGE ENCRYPTED FILE-----
- recipient: age16gf76uustmyyksm3t56zcq9g6j8avy0wrngh8laknfq733s5welqedeg4x
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoS0lrTWJielNmS1ZTMTh3
bmx4anJ0NHdONlVGKzZPdGs2emlMck9lN2pvCmhVRHBWUFV1Y21STXYxaXRXWm9k
dDFhTU9qSTV3NW94Wk5CeFJJOXhGeWcKLS0tIFB6dFVzVm1oTmczYlgrVmphSngy
NitRanVvVS9XalBxYVJjT0dhSEVMK2MK4+NFlbWqdCEDSln+gSIsCqIsYwRXb/aN
8GW2+Jl/4zrPiM6vG0s9IxZq/4qJkIO9UX1AIFuKemz3S63WYcpE2A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T13:36:39Z"
mac: ENC[AES256_GCM,data:KYqOMm6Xk04/1nwEXaX+Htkovwa+RbHtZH3Nd9S/K1bjdZZESpka7Kxib+mf9ezBnTdJTBzwacf0bgQnU+rpQWxBvWz65K8RAHcJms0JoNYEPWJkIeG9/KdV2iefPcml5SOFID8Xr/KpISfnayS4CGUWRFU8DyDtb30g9DQ2Peg=,iv:3QT6PqinySd6lUWBNxpxBxsY7VVmrnFqUxjLbsMMYR0=,tag:SLkWHWnnxNn0j+lnGnJGeQ==,type:str]
pgp:
- created_at: "2026-01-12T22:05:26Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTAQ//XiTwGjbH1zmdMP9/hLdvavEYfiVKD6TjtMiSKrGMOa9h
VIr7DRjrIzYm6E8j5sbpEFRNIjOu/vcHvr5NCoZN0tmwqXvbi56RE/QypbZcx7nt
fGtOj6hgFdm3deWU/JCx1uAXF0fFiyy7G0+YqrZEfzihaOzyPrUp6uqu+Bb4Eli2
2CuupTa6zBP1kAzJKToT+F8pGFPHGk4Ji55wWQTnaRe24A4xFQryGhAGTkrnMxpW
796XN18IqRXcpvg4tOEADILzmjJ3WcNeYi2oF4WSqpRDUadEoUwWWo5Zdtt1SGFs
H77wIAArmoRHsPWojfjWGQNi6Xcfazy1F8HocaanEJ/dV0MwTiIfhXjeZSevo/WP
VDs1UsITkBGpG7FF1sYZv/9GhL3CE74e0LuAifx14tmPhRk46vAnNXjR3vHNSR8+
iREIAZXluLnhWn63bC9TGBm2ROEP0hpXVyHELiBXS5Pa36DaPDnrJVxehjzwerTC
Ow/R7GkqAPDHqtOcXNpt1hJtMETKmZ8lXcauZWBWCHgHS2nDTBv03zsfk+7GwCpj
O49Gr40nxU4rSxPqoMuwJY1A4/dYeEAC0QpuDnddPq3O0tHgcvlFYgw4Tb0EAtWf
TYUN7hd6WCHc4QUjmoLq2b5Lt5DpNEfPhAqWX3sL9bEr1EBKRxuGxF1WuJ1Ki+2F
AgwDC9FRLmchgYQBD/0aedT/5S53nq2U49lJNxXhlo6X3bD9TD/NAmooQeiCqFgJ
xY9YJd/Z2eboKOQwoySXozrIM797WfIZ0W8ywUnGfYnboncojiQfASMvW483EHum
h3KdpTa2IOZ2cnqJmUQZrGVO7iG+gkiLXZJpRupGLp+XLVVaN7w4mN8bB1anQT4S
yn0i3+SFBstDgfFjHbvt7nrWE5KEavCzLbYAO5MJ0JYs0ei7ScZeyI0q0IvwaQLm
HL0cbnVXyrLtj70UpbgrIemRMZqjyGZ5IPmx62ssc7CuKgvnT76ybDmcw/REs1qv
bCibxeBaiWBAhZPz5bHEcTnFQgAFdqiycoXRXYgTUgM98tHjTv09sKTVVfZnxcMr
I+ca3bHXb7OxZjaoeYFqqV09vyBnibqVVJ9BsyLsRZtUSN5Fwih3d3Vw25oA/UOU
DCvwjL/V1gzOgLqfRWJRBxdNWbtbmzF4SbyK/P62PPX8pVE8EZbsISJZOkUajKXX
5aT/IvDUHjo7aVdK8ulMK/ljlHyAM/DgqnhxnVCe6xfQMiEVB2iJwN1925eDm3MY
N0UAItV6SR4FaXLnzEsgO2Hkks3nWKVjdjGU++9AOawKdORLJPvrP+apxuftxb6k
szB6s+r59yjxVugKM8IHEPvUZ6n75Kr/FiQZP6vPnBMgh6vfaYcAXs3FvwBR29Je
Acfyypf9TzhI/s1a52FCX96etZj3e+CmLpBJVbbALPpWnggGKCcKpkIxEAa+CAoR
ZOZj1ZjcdHVc84U3lma8yi66pK9J1sVb2Td68oN5Axma0hQwG1GIjdfTPWklbg==
=Dv7n
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

57
hosds/nixos/x86_64-linux/summers/secrets/jellyfin/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
wireguard-private-key: ENC[AES256_GCM,data:5o3vhdHriS1Iau5/wS/QM2IKlIGn1Aua+M9blroPrOgfBWLtLxzhBcAzJ/A=,iv:zv4ZvP5gIJ5Y1dC2H0AqqMRIGFE/QJ8ztp6yG/QfDZE=,tag:W6BWuHk594xqd6WwEN6n4w==,type:str]
sops:
age:
- recipient: age14sjyqch8tzqexk2gv0qgrrg09f0s6hvwhsgjac3vs6sc5rzgpcxsyqda6u
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbGwveGRMZ1pGRkJXTlB6
cVQrdng4VHR1dUo5WnFBUTRSUERsT3ZmcTJnCjQrUWpaZ3JwNVYvOEMyTUNGTzF2
VVE0aldqcWR3ZitNamloVVRCYVJEM1EKLS0tIGVGTEF3RDNJRGtzL0NtNytKd3N2
d1kyZnhFY3llb3BCVjZqK3Z5WXMxMjQKrRw1Bc1TLgErVOgwfbAvZPFJiBfOExGl
Sri9+si8AmsqmtjRsXOHesI32LrCgJfSAnxUZgdXzJQeaIyhnxvDog==
-----END AGE ENCRYPTED FILE-----
- recipient: age1fnvlmhzju0yq908xtgags0sy85q3tacl2sc3w3vdd3yfp27xv5aq06v948
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGazRvZnczUVp2MGhYOW9F
UkJlV3pxMjM5VkVwaEJMZFZTNmE5bDdxUHlBCm1HY3lVUVIwNGNUUUhnM2ZseVlj
ejJJNi9OTnhBZjJTbUsrUS9rd2d6TDAKLS0tIHNIMGpwT01BS2gxODZQMUhBUGRN
NE5IWnpBQUhsK3BVUjFOQUZnOWw2SlkK5KKCFPVNSM6ceIIMtmLqBUNyasu3y7Y1
6FR9AFTK/hP6s71OdVEChEG6GX3Gsm8ym3AiSFF573wfUPs9GM9gXw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-01-07T13:36:40Z"
mac: ENC[AES256_GCM,data:Ep/6toPN64tEaCGEnO8dIUd14x5JB5TSfw9A5J3KFkhCAhCoMW29yzuqHMy7iBRwS9VqJS3R0g7SL8x6dIzsHmT9sZ3m0gihGZsM9Psc24NOi6iWfOLyNApwTsI+LhL1CEcspb/quvm4Nh+xSnYXhap+3+rPtMGpyVtgyNgN2eU=,iv:zhi6NU4lPOJ+X5KIbVpDS3mz418psH9nu8qtguKQ7po=,tag:FjePycuZddog47Wwmu94wg==,type:str]
pgp:
- created_at: "2026-01-12T22:05:27Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAwDh3VI7VctTARAA0bPcknehmkuWwEODvm6Y8L/a/R3QyZWOnFYQF1RCeJ2U
w6VAkCLRjog8cpi8CiWLUY8JJo2Ui/Ei+0SiUYUuaxkIdlqonhddXa1VxOANRLLd
OIguTv+YQtGuZF6vmlABtV3ntUbC590iuZdHHjOa6BUBLFWJgqBNe4Adkrj5WP4e
76uZgFTEtBt0paaijd7HuIhdYiAbM9pOKkWRbuHNqlMSdbJJSFCVspL6oBwHWJrs
xPCUVZIRR2rVjaj9VoQPKAucbLyxBc7TQVpZQlMNSJTNGRmeCaj2Dzm23rAvRch9
0t8YGsiovwDBe/JZLQPliqEYjIvst1r9+Fjd1YYuwPFJlYQLL5hj3tVL/RJ/XiOu
8r4ftgKbwon9KMQCUALXvHzPnD/3+YzdXk2jr6/B7e/N8d93P46xIivCtu3wN+yY
zkpbJbtjLzyQ2Ixazo9zVFmammoGLt/amZdBwD1DRWNI1dE6a7l9Kelza6S8XEwg
5OQ3bQU/n5/adjmyP3wdQW+1+lIZY0F7CQ1Lh0mBNFe84jVus3tg/sExuTD+rVpF
ACUKaoNhEK/S90TUMVTbRL86wSTE6gsdgg/NB2BS1W0rGnxpCAr49stebWRT+lCM
ic3qvni6b9EDz56bWYOWjPwsKjdxgnXTmcMHChDCRwoGNsJcDj3CxXiG1B48ltiF
AgwDC9FRLmchgYQBEACeYohAxHIrt66T7PChHNbvADgC9u+Q4fnk1w4sSZHYxcxk
r4UB4ocJb25VmUh8JhJTY3E2XmtsViMoSlu05cGyOsg8afgadl4Q35KXWhaU+UyV
n+gUWHycZxy3cyaa5o7m+Xk/jlz+dBHf25F2iUT0PVacQ/idjfSY/nlt9GhXYJfD
5MVwLfJKgJ71xatgHwI60hg+a/im2TgP2t25lVlNotDoLfuGAXuCISLdtIN6k+xq
rX0spBd2PnF19joXqb+m/OTOM+4l+PcKAWcbkL8PWnUSO9w87soIlE4HdMN3sqlX
HJVuyI+Dra97P9ALr+z3jyzoObgQmx72xt8jGGxdMLbhDmXpYWJ9TnTMxOwF5/T9
HUpg1cipbz2hCuFC2TtCyoE1yzZIuNvzyMRapK4yGwdeBlTzPBOEWVVokd5GS7wj
r9aqWDDbeC+oPTtufIcxRup6USlX3eEIVtF2zFPyg82XJKzzIT/4x4sY1pulm7NZ
fjHZNv6h2PUSfVqneMr92ViBPyn6nU5YA++6n60LAkntNSoDWtSbIi8hpQa1XIVs
LPGi3z1TVNO5fZtzXJFfyKID5dd9l4/Xjm/IBOXbLrVTJgb98Iop2XfssJhAxjGp
ydV7fxcUrVh9RbJe4NiDTFE5Pw9t+f0QxQnSyFcsS1jC+g786MPbM81X4Q/cWdJe
Abdk26c22iMEpRch7qJxo9tddXrao5P10Tr3FSy4WEUDScglb75NGxgTXloWNaiL
pKS56PaycTEJ7y2rb8T3e7c6dJj/Kx2N1rkxikI8UYO9DbRE1AU4czgVwRLUZA==
=hRaf
-----END PGP MESSAGE-----
fp: 4BE7925262289B476DBBC17B76FD3810215AE097
unencrypted_suffix: _unencrypted
version: 3.11.0

Some files were not shown because too many files have changed in this diff Show more